|
| 1 | +use ammonia::Builder; |
1 | 2 | use pulldown_cmark::{html, Options, Parser}; |
| 3 | +use std::sync::OnceLock; |
2 | 4 |
|
3 | | -pub fn render_markdown(markdown: &str) -> String { |
4 | | - let mut options = Options::empty(); |
5 | | - options.insert(Options::ENABLE_STRIKETHROUGH); |
6 | | - options.insert(Options::ENABLE_TABLES); |
7 | | - options.insert(Options::ENABLE_TASKLISTS); |
8 | | - options.insert(Options::ENABLE_FOOTNOTES); |
| 5 | +/// Pre-configured ammonia sanitizer + pulldown-cmark option set. Cached in |
| 6 | +/// a `OnceLock` so every render reuses the same configured `Builder` rather |
| 7 | +/// than rebuilding the allowed-tag and allowed-attribute sets on each call. |
| 8 | +static SANITIZER: OnceLock<Builder<'static>> = OnceLock::new(); |
| 9 | +static MARKDOWN_OPTIONS: OnceLock<Options> = OnceLock::new(); |
| 10 | + |
| 11 | +fn sanitizer() -> &'static Builder<'static> { |
| 12 | + SANITIZER.get_or_init(Builder::default) |
| 13 | +} |
9 | 14 |
|
10 | | - let parser = Parser::new_ext(markdown, options); |
| 15 | +fn markdown_options() -> Options { |
| 16 | + *MARKDOWN_OPTIONS.get_or_init(|| { |
| 17 | + let mut options = Options::empty(); |
| 18 | + options.insert(Options::ENABLE_STRIKETHROUGH); |
| 19 | + options.insert(Options::ENABLE_TABLES); |
| 20 | + options.insert(Options::ENABLE_TASKLISTS); |
| 21 | + options.insert(Options::ENABLE_FOOTNOTES); |
| 22 | + options |
| 23 | + }) |
| 24 | +} |
| 25 | + |
| 26 | +pub fn render_markdown(markdown: &str) -> String { |
| 27 | + let parser = Parser::new_ext(markdown, markdown_options()); |
11 | 28 | let mut html_output = String::new(); |
12 | 29 | html::push_html(&mut html_output, parser); |
13 | | - ammonia::clean(&html_output) |
| 30 | + sanitizer().clean(&html_output).to_string() |
| 31 | +} |
| 32 | + |
| 33 | +/// Escape a string for safe insertion into HTML text / attribute context. |
| 34 | +/// Single-pass, allocates once with a best-effort capacity estimate. Mirrors |
| 35 | +/// the old five-chained-`.replace()` behaviour but avoids building four |
| 36 | +/// throw-away intermediate strings per call. |
| 37 | +pub fn escape_html(raw: &str) -> String { |
| 38 | + let mut out = String::with_capacity(raw.len()); |
| 39 | + for c in raw.chars() { |
| 40 | + match c { |
| 41 | + '&' => out.push_str("&"), |
| 42 | + '<' => out.push_str("<"), |
| 43 | + '>' => out.push_str(">"), |
| 44 | + '"' => out.push_str("""), |
| 45 | + '\'' => out.push_str("'"), |
| 46 | + _ => out.push(c), |
| 47 | + } |
| 48 | + } |
| 49 | + out |
| 50 | +} |
| 51 | + |
| 52 | +#[cfg(test)] |
| 53 | +mod tests { |
| 54 | + use super::*; |
| 55 | + |
| 56 | + #[test] |
| 57 | + fn escape_html_replaces_specials() { |
| 58 | + assert_eq!( |
| 59 | + escape_html("<a href=\"x\">O'Reilly & Sons</a>"), |
| 60 | + "<a href="x">O'Reilly & Sons</a>" |
| 61 | + ); |
| 62 | + } |
| 63 | + |
| 64 | + #[test] |
| 65 | + fn escape_html_passes_through_plain_text() { |
| 66 | + let s = "Hello, world!"; |
| 67 | + assert_eq!(escape_html(s), s); |
| 68 | + } |
| 69 | + |
| 70 | + #[test] |
| 71 | + fn render_markdown_sanitizes_script_tags() { |
| 72 | + let raw = "Hello <script>alert('x')</script> world"; |
| 73 | + let out = render_markdown(raw); |
| 74 | + assert!(!out.contains("<script"), "rendered output: {out}"); |
| 75 | + } |
14 | 76 | } |
0 commit comments