summaryrefslogtreecommitdiff
path: root/ui/routes/(swatch)/.swatch
diff options
context:
space:
mode:
Diffstat (limited to 'ui/routes/(swatch)/.swatch')
-rw-r--r--ui/routes/(swatch)/.swatch/Message/+page.svelte38
-rw-r--r--ui/routes/(swatch)/.swatch/MessageRun/+page.svelte47
2 files changed, 69 insertions, 16 deletions
diff --git a/ui/routes/(swatch)/.swatch/Message/+page.svelte b/ui/routes/(swatch)/.swatch/Message/+page.svelte
index 6fd9b6b..6faf3bc 100644
--- a/ui/routes/(swatch)/.swatch/Message/+page.svelte
+++ b/ui/routes/(swatch)/.swatch/Message/+page.svelte
@@ -2,6 +2,7 @@
import { DateTime } from 'luxon';
import EventCapture from '$lib/swatch/event-capture.svelte.js';
+ import { render } from '$lib/markdown.js';
import Message from '$lib/components/Message.svelte';
import EventLog from '$lib/components/swatch/EventLog.svelte';
@@ -11,10 +12,37 @@
// Astonishingly, `DateTime.fromISO` does not throw on invalid inputs. It generates an "Invalid
// DateTime" sentinel value, instead.
let at = $derived(DateTime.fromISO(atInput));
- let renderedBody = $state(
- '<p>Lorem ipsum <code>dolor</code> sit amet, consectetur adipiscing elit. Nunc quis ante ac leo tristique iaculis vel in tortor. Praesent sed interdum ipsum. Pellentesque blandit, sapien at mattis facilisis, leo mi gravida erat, in euismod mi lectus non dui. Praesent at justo vel mauris pulvinar sodales ut sed nisl. Aliquam aliquet justo vel cursus imperdiet. Suspendisse potenti. Duis varius tortor finibus, rutrum justo ac, tincidunt enim.</p>\n' +
- '<p>Donec velit dui, bibendum a augue sit amet, tempus condimentum neque. Integer nibh tortor, imperdiet at aliquet eu, rutrum eget ligula. Donec porttitor nisi lacus, eu bibendum augue maximus eget. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Maecenas in est eget lectus dapibus tincidunt. Ut ut nisi egestas, posuere libero laoreet, venenatis erat. Nulla maximus, nisl eget interdum ornare, enim turpis semper ligula, sed ultricies sem sem quis arcu. Ut a dapibus augue. Pellentesque nec tincidunt sem.</p>',
+ let renderedBodyInput = $state(
+ `Lorem ipsum \`dolor\` sit amet, consectetur adipiscing elit. Nunc quis ante ac leo tristique
+iaculis vel in tortor. Praesent sed interdum ipsum. Pellentesque blandit, sapien at mattis
+facilisis, leo mi gravida erat, in euismod mi lectus non dui. Praesent at justo vel mauris pulvinar
+sodales ut sed nisl. Aliquam aliquet justo vel cursus imperdiet. Suspendisse potenti. Duis varius
+tortor finibus, rutrum justo ac, tincidunt enim.
+
+Donec velit dui, bibendum a augue sit amet, tempus condimentum neque. Integer nibh tortor, imperdiet
+at aliquet eu, rutrum eget ligula. Donec porttitor nisi lacus, eu bibendum augue maximus eget. Class
+aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Maecenas in
+est eget lectus dapibus tincidunt. Ut ut nisi egestas, posuere libero laoreet, venenatis erat. Nulla
+maximus, nisl eget interdum ornare, enim turpis semper ligula, sed ultricies sem sem quis arcu. Ut a
+dapibus augue. Pellentesque nec tincidunt sem.
+`,
);
+ /*
+ * Even though `Message` is notionally a generic container for markup, we restrict the swatch to
+ * message-flavoured Markdown. Swatches are available to all users, including
+ * technically-unsophisticated ones, and anything rendered in a swatch runs in the same origin
+ * context and the same cookie context as the rest of the client.
+ *
+ * This makes it possible that a user would be persuaded to enter something into a swatch that
+ * then runs _as them_, interacting with Pilcrow via its API or accessing client-stored data.
+ *
+ * As a proof of concept, `<img src="x" onerror="console.log('oh no')">` should not run the log
+ * statement. With generic HTML entry, it would do so. With our markdown processing, it does not
+ * (the `onerror` attribute is removed). Similarly, `script` elements are prohibited.
+ *
+ * Users who want to experiment with free HTML are encouraged to edit the swatch for themselves.
+ */
+ let renderedBody = $derived(render(renderedBodyInput));
let editable = $state(true);
let cssClass = $state('');
@@ -47,8 +75,8 @@
<label>editable <input type="checkbox" bind:checked={editable} /></label>
<label
- ><p>rendered body (html)</p>
- <textarea class="html" bind:value={renderedBody}></textarea>
+ ><p>rendered body (markdown)</p>
+ <textarea class="html" bind:value={renderedBodyInput}></textarea>
</label>
</div>
diff --git a/ui/routes/(swatch)/.swatch/MessageRun/+page.svelte b/ui/routes/(swatch)/.swatch/MessageRun/+page.svelte
index a8c8853..34118ec 100644
--- a/ui/routes/(swatch)/.swatch/MessageRun/+page.svelte
+++ b/ui/routes/(swatch)/.swatch/MessageRun/+page.svelte
@@ -1,12 +1,41 @@
<script>
+ import { DateTime } from 'luxon';
+
+ import { render } from '$lib/markdown.js';
+
import MessageRun from '$lib/components/MessageRun.svelte';
+ import Message from '$lib/components/Message.svelte';
let sender = $state('wlonk');
let cssClass = $state('own-message');
- let children = $state(
- '<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc quis ante ac leo tristique iaculis vel in tortor. Praesent sed interdum ipsum. Pellentesque blandit, sapien at mattis facilisis, leo mi gravida erat, in euismod mi lectus non dui. Praesent at justo vel mauris pulvinar sodales ut sed nisl. Aliquam aliquet justo vel cursus imperdiet. Suspendisse potenti. Duis varius tortor finibus, rutrum justo ac, tincidunt enim.</p>\n' +
- '<p>Donec velit dui, bibendum a augue sit amet, tempus condimentum neque. Integer nibh tortor, imperdiet at aliquet eu, rutrum eget ligula. Donec porttitor nisi lacus, eu bibendum augue maximus eget. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Maecenas in est eget lectus dapibus tincidunt. Ut ut nisi egestas, posuere libero laoreet, venenatis erat. Nulla maximus, nisl eget interdum ornare, enim turpis semper ligula, sed ultricies sem sem quis arcu. Ut a dapibus augue. Pellentesque nec tincidunt sem.</p>',
- );
+
+ /*
+ * Even though `MessageRun` is notionally a generic container for markup, we restrict the swatch
+ * to precomosed test messages. Swatches are available to all users, including
+ * technically-unsophisticated ones, and anything rendered in a swatch runs in the same origin
+ * context and the same cookie context as the rest of the client.
+ *
+ * This makes it possible that a user would be persuaded to enter something into a swatch that
+ * then runs _as them_, interacting with Pilcrow via its API or accessing client-stored data.
+ *
+ * As a proof of concept, `<img src="x" onerror="console.log('oh no')">` should not run the log
+ * statement. With generic HTML entry, it would do so.
+ *
+ * Users who want to experiment with free HTML are encouraged to edit the swatch for themselves.
+ */
+ let messages = [
+ `Lorem ipsum \`dolor\` sit amet, consectetur adipiscing elit. Nunc quis ante ac leo tristique
+iaculis vel in tortor. Praesent sed interdum ipsum. Pellentesque blandit, sapien at mattis
+facilisis, leo mi gravida erat, in euismod mi lectus non dui. Praesent at justo vel mauris pulvinar
+sodales ut sed nisl. Aliquam aliquet justo vel cursus imperdiet. Suspendisse potenti. Duis varius
+tortor finibus, rutrum justo ac, tincidunt enim.`,
+ `Donec velit dui, bibendum a augue sit amet, tempus condimentum neque. Integer nibh tortor,
+imperdiet at aliquet eu, rutrum eget ligula. Donec porttitor nisi lacus, eu bibendum augue maximus
+eget. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos.
+Maecenas in est eget lectus dapibus tincidunt. Ut ut nisi egestas, posuere libero laoreet, venenatis
+erat. Nulla maximus, nisl eget interdum ornare, enim turpis semper ligula, sed ultricies sem sem
+quis arcu. Ut a dapibus augue. Pellentesque nec tincidunt sem.`,
+ ];
</script>
<h1><code>MessageRun</code></h1>
@@ -23,18 +52,14 @@
<button onclick={() => (cssClass = 'own-message')}>own-message</button>
<button onclick={() => (cssClass = 'other-message')}>other-message</button>
</div>
-
- <label
- ><p>children (html)</p>
- <textarea class="html" bind:value={children}></textarea>
- </label>
</div>
<h2>rendered</h2>
<div class="component-preview">
<MessageRun {sender} class={cssClass}>
- <!-- eslint-disable-next-line svelte/no-at-html-tags -->
- {@html children}
+ {#each messages.entries() as [index, message]}
+ <Message id="Mplaceholder-{index}" at={DateTime.now()} renderedBody={render(message)} />
+ {/each}
</MessageRun>
</div>
generated by cgit v1.2.3 (git 2.39.1) at 2026-01-02 02:14:42 +0000