Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
Troglodyne
/
tCMS
2
0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Strom: 8a85cb3a4b
Branche Tagy
tCMS
/
lib
/
Trog
/
Renderer
/
Base.pm

Base.pm 4.0 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109 
  1. package Trog::Renderer::Base;
    2. 

  2. 

  3. use strict;
    4. 

  4. use warnings;
    5. 

  5. 

  6. no warnings 'experimental';
    7. 

  7. use feature qw{signatures state};
    8. 

  8. 

  9. use Encode qw{encode_utf8};
    10. 

  10. use IO::Compress::Gzip;
    11. 

  11. 

  12. use Text::Xslate;
    13. 

  13. use Trog::Themes;
    14. 

  14. use Trog::Config;
    15. 

  15. 

  16. =head1 Trog::Renderer::Base
    17. 

  17. 

  18. Basic rendering structure, subclass me.
    19. 

  19. 

  20. Sets up the methods which must be present for all templates, e.g. render_it for rendering dynamic template strings coming from a post.
    21. 

  21. 

  22. =cut
    23. 

  23. 

  24. our %renderers;
    25. 

  25. 

  26. sub render (%options) {
    27. 

  27.     die "Templated renders require a template to be passed" unless $options{template};
    28. 

  28. 

  29.     my $template_dir = Trog::Themes::template_dir( $options{template}, $options{contenttype}, $options{component} );
    30. 

  30.     my $t            = "$template_dir/$options{template}";
    31. 

  31.     die "Templated renders require an existing template to be passed, got $template_dir/$options{template}" unless -f $t || -s $t;
    32. 

  32. 

  33.     #TODO make this work with posts all the time
    34. 

  34.     $options{child_processor} //= Text::Xslate->new( path => $template_dir );
    35. 

  35.     my $child_processor = $options{child_processor};
    36. 

  36.     $options{child_renderer} //= sub {
    37. 

  37.         my ( $template_string, $options ) = @_;
    38. 

  38. 

  39.         # If it fails to render, it must be something else
    40. 

  40.         my $out = eval { $child_processor->render_string( $template_string, $options ) };
    41. 

  41.         return $out ? $out : $template_string;
    42. 

  42.     };
    43. 

  43. 

  44.     $renderers{$template_dir} //= Text::Xslate->new(
    45. 

  45.         path     => $template_dir,
    46. 

  46.         function => {
    47. 

  47.             render_it => $options{child_renderer},
    48. 

  48.         },
    49. 

  49.     );
    50. 

  50. 

  51.     my $code = $options{code};
    52. 

  52.     my $body = encode_utf8( $renderers{$template_dir}->render( $options{template}, $options{data} ) );
    53. 

  53. 

  54.     # Users can supply a post_processor to futz with the output (such as with minifiers) if they wish.
    55. 

  55.     $body = $options{post_processor}->($body) if $options{post_processor} && ref $options{post_processor} eq 'CODE';
    56. 

  56. 

  57.     # Users can supply custom headers as part of the data in options.
    58. 

  58.     my %headers = headers( \%options, $body );
    59. 

  59. 

  60.     return $body if $options{component};
    61. 

  61.     return [ $code, [%headers], [$body] ] unless $options{deflate};
    62. 

  62. 

  63.     $headers{"Content-Encoding"} = "gzip";
    64. 

  64.     my $dfh;
    65. 

  65.     IO::Compress::Gzip::gzip( \$body => \$dfh );
    66. 

  66.     print $IO::Compress::Gzip::GzipError if $IO::Compress::Gzip::GzipError;
    67. 

  67.     $headers{"Content-Length"} = length($dfh);
    68. 

  68. 

  69.     return [ $code, [%headers], [$dfh] ];
    70. 

  70. }
    71. 

  71. 

  72. sub headers ( $options, $body ) {
    73. 

  73.     my $query   = $options->{data};
    74. 

  74.     my $uh      = ref $options->{headers} eq 'HASH' ? $options->{headers} : {};
    75. 

  75.     my $ct      = $options->{contenttype} eq 'text/html' ? "text/html; charset=UTF-8" : "$options->{contenttype};";
    76. 

  76.     my %headers = (
    77. 

  77.         'Content-Type'           => $ct,
    78. 

  78.         'Content-Length'         => length($body),
    79. 

  79.         'Cache-Control'          => $query->{cachecontrol} // $Trog::Vars::cache_control{revalidate},
    80. 

  80.         'X-Content-Type-Options' => 'nosniff',
    81. 

  81.         'Vary'                   => 'Accept-Encoding',
    82. 

  82.         %$uh,
    83. 

  83.     );
    84. 

  84. 

  85.     #Disallow framing UNLESS we are in embed mode
    86. 

  86.     my $ancestor = $query->{domain} || 'none';
    87. 

  87.     $headers{"Content-Security-Policy"} = qq{frame-ancestors '$ancestor'} unless $query->{embed};
    88. 

  88. 

  89.     $headers{'X-Frame-Options'} = 'DENY' unless $query->{embed};
    90. 

  90.     $headers{'Referrer-Policy'} = 'no-referrer-when-downgrade';
    91. 

  91. 

  92.     #CSP. Yet another layer of 'no mixed content' plus whitelisted execution of remote resources.
    93. 

  93.     my $scheme = $query->{scheme} ? "$query->{scheme}:" : '';
    94. 

  94. 

  95.     my $conf  = Trog::Config::get();
    96. 

  96.     my $sites = $conf->param('security.allow_embeds_from') // '';
    97. 

  97.     $headers{'Content-Security-Policy'} .= ";default-src $scheme 'self' 'unsafe-eval' 'unsafe-inline' $sites";
    98. 

  98.     $headers{'Content-Security-Policy'} .= ";object-src 'none'";
    99. 

  99. 

  100.     # Force https if we are https
    101. 

  101.     $headers{'Strict-Transport-Security'} = 'max-age=63072000' if ( $query->{scheme} // '' ) eq 'https';
    102. 

  102. 

  103.     # We only set etags when users are logged in, cause we don't use statics
    104. 

  104.     $headers{'ETag'} = $query->{etag} if $query->{etag} && $query->{user};
    105. 

  105. 

  106.     return %headers;
    107. 

  107. }
    108. 

  108. 

  109. 1;
    110.