Add markdown rendering options to the sqlpage configuration

Author: lovasoa

configuration.md

@@ -34,6 +34,8 @@ Here are the available configuration options and their default values:
 | `content_security_policy`                     | `script-src 'self' 'nonce-XXX` | The [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to set in the HTTP headers. If you get CSP errors in the browser console, you can set this to the empty string to disable CSP. |
 | `system_root_ca_certificates`                 | false                                                      | Whether to use the system root CA certificates to validate SSL certificates when making http requests with `sqlpage.fetch`. If set to false, SQLPage will use its own set of root CA certificates. If the `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables are set, they will be used instead of the system root CA certificates. |
 | `max_recursion_depth`                         | 10                                                           | Maximum depth of recursion allowed in the `run_sql` function. Maximum value is 255. |
+| `markdown_allow_dangerous_html`               | false                                                        | Whether to allow raw HTML in markdown content. When disabled, HTML tags will be escaped. |
+| `markdown_allow_dangerous_protocol`           | false                                                        | Whether to allow dangerous protocols (like javascript:) in markdown links. When disabled, only safe protocols are allowed. |
 
 Multiple configuration file formats are supported:
 you can use a [`.json5`](https://json5.org/) file, a [`.toml`](https://toml.io/) file, or a [`.yaml`](https://en.wikipedia.org/wiki/YAML#Syntax) file.

sqlpage/sqlpage.json

@@ -1,3 +1,5 @@
 {
-  "database_url": "sqlite:///tmp/bug.db?mode=rwc"
+  "database_url": "sqlite:///tmp/bug.db?mode=rwc",
+  "markdown_allow_dangerous_html": true,
+  "markdown_allow_dangerous_protocol": true
 }

src/app_config.rs

@@ -248,6 +248,12 @@ pub struct AppConfig {
     /// Maximum depth of recursion allowed in the `run_sql` function.
     #[serde(default = "default_max_recursion_depth")]
     pub max_recursion_depth: u8,
+
+    #[serde(default = "default_markdown_allow_dangerous_html")]
+    pub markdown_allow_dangerous_html: bool,
+
+    #[serde(default = "default_markdown_allow_dangerous_protocol")]
+    pub markdown_allow_dangerous_protocol: bool,
 }
 
 impl AppConfig {
@@ -506,6 +512,14 @@ fn default_max_recursion_depth() -> u8 {
     10
 }
 
+fn default_markdown_allow_dangerous_html() -> bool {
+    false
+}
+
+fn default_markdown_allow_dangerous_protocol() -> bool {
+    false
+}
+
 #[derive(Debug, Deserialize, Serialize, PartialEq, Clone, Copy, Eq, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum DevOrProd {

src/template_helpers.rs

@@ -63,7 +63,7 @@ pub fn register_all_helpers(h: &mut Handlebars<'_>, config: &AppConfig) {
 
     // icon helper: generate an image with the specified icon
     h.register_helper("icon_img", Box::new(IconImgHelper(site_prefix)));
-    register_helper(h, "markdown", markdown_helper as EH);
+    register_helper(h, "markdown", MarkdownHelper::new(config));
     register_helper(h, "buildinfo", buildinfo_helper as EH);
     register_helper(h, "typeof", typeof_helper as H);
     register_helper(h, "rfc2822_date", rfc2822_date_helper as EH);
@@ -247,21 +247,45 @@ fn typeof_helper(v: &JsonValue) -> JsonValue {
     .into()
 }
 
-fn markdown_helper(x: &JsonValue) -> anyhow::Result<JsonValue> {
-    let as_str = match x {
-        JsonValue::String(s) => Cow::Borrowed(s),
-        JsonValue::Array(arr) => Cow::Owned(
-            arr.iter()
-                .map(|v| v.as_str().unwrap_or_default())
-                .collect::<Vec<_>>()
-                .join("\n"),
-        ),
-        JsonValue::Null => Cow::Owned(String::new()),
-        other => Cow::Owned(other.to_string()),
-    };
-    markdown::to_html_with_options(&as_str, &markdown::Options::gfm())
-        .map(JsonValue::String)
-        .map_err(|e| anyhow::anyhow!("markdown error: {e}"))
+/// Helper to render markdown with configurable options
+struct MarkdownHelper {
+    allow_dangerous_html: bool,
+    allow_dangerous_protocol: bool,
+}
+
+impl MarkdownHelper {
+    fn new(config: &AppConfig) -> Self {
+        Self { 
+            allow_dangerous_html: config.markdown_allow_dangerous_html,
+            allow_dangerous_protocol: config.markdown_allow_dangerous_protocol,
+        }
+    }
+}
+
+impl CanHelp for MarkdownHelper {
+    fn call(&self, args: &[PathAndJson]) -> Result<JsonValue, String> {
+        let as_str = match args {
+            [v] => v.value(),
+            _ => return Err("expected one argument".to_string()),
+        };
+        let as_str = match as_str {
+            JsonValue::String(s) => Cow::Borrowed(s),
+            JsonValue::Array(arr) => Cow::Owned(
+                arr.iter()
+                    .map(|v| v.as_str().unwrap_or_default())
+                    .collect::<Vec<_>>()
+                    .join("\n"),
+            ),
+            JsonValue::Null => Cow::Owned(String::new()),
+            other => Cow::Owned(other.to_string()),
+        };
+        let mut options = markdown::Options::gfm();
+        options.compile.allow_dangerous_html = self.allow_dangerous_html;
+        options.compile.allow_dangerous_protocol = self.allow_dangerous_protocol;
+        markdown::to_html_with_options(&as_str, &options)
+            .map(JsonValue::String)
+            .map_err(|e| e.to_string())
+    }
 }
 
 fn buildinfo_helper(x: &JsonValue) -> anyhow::Result<JsonValue> {

src/webserver/database/sql.rs

@@ -749,6 +749,7 @@ impl VisitorMut for ParameterExtractor {
         match value {
             Expr::Identifier(ident) => {
                 if let Some(param) = extract_ident_param(ident) {
+                    log::trace!("Extracted parameter {param} from identifier {ident}");
                     *value = self.make_placeholder();
                     self.parameters.push(param);
                 }
@@ -757,8 +758,10 @@ impl VisitorMut for ParameterExtractor {
             // this check is to avoid recursively replacing placeholders in the form of '?', or '$1', '$2', which we emit ourselves
             {
                 let new_expr = self.make_placeholder();
+                log::trace!("Extracted SQL placeholder {param}, replacing with {new_expr}");
                 let name = std::mem::take(param);
-                self.parameters.push(map_param(name));
+                let parameter = map_param(name);
+                self.parameters.push(parameter);
                 *value = new_expr;
             }
             Expr::Function(Function {