Home Explore Help
Sign In
Troglodyne
/
tCMS
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
tCMS
/
lib
/
Trog
/
Renderer
/
Base.pm

Base.pm 4.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111 
  1. package Trog::Renderer::Base;
    2. 

  2. 

  3. use strict;
    4. 

  4. use warnings;
    5. 

  5. 

  6. no warnings 'experimental';
    7. 

  7. use feature qw{signatures state};
    8. 

  8. 

  9. use Encode qw{encode_utf8};
    10. 

  10. use IO::Compress::Gzip;
    11. 

  11. 

  12. use Text::Xslate;
    13. 

  13. use Trog::Themes;
    14. 

  14. use Trog::Config;
    15. 

  15. use Time::HiRes qw{tv_interval};
    16. 

  16. 

  17. =head1 Trog::Renderer::Base
    18. 

  18. 

  19. Basic rendering structure, subclass me.
    20. 

  20. 

  21. Sets up the methods which must be present for all templates, e.g. render_it for rendering dynamic template strings coming from a post.
    22. 

  22. 

  23. =cut
    24. 

  24. 

  25. our %renderers;
    26. 

  26. 

  27. sub render (%options) {
    28. 

  28.     die "Templated renders require a template to be passed" unless $options{template};
    29. 

  29. 

  30.     my $template_dir = Trog::Themes::template_dir( $options{template}, $options{contenttype}, $options{component} );
    31. 

  31.     my $t            = "$template_dir/$options{template}";
    32. 

  32.     die "Templated renders require an existing template to be passed, got $template_dir/$options{template}" unless -f $t || -s $t;
    33. 

  33. 

  34.     #TODO make this work with posts all the time
    35. 

  35.     $options{child_processor} //= Text::Xslate->new( path => $template_dir );
    36. 

  36.     my $child_processor = $options{child_processor};
    37. 

  37.     $options{child_renderer} //= sub {
    38. 

  38.         my ( $template_string, $options ) = @_;
    39. 

  39. 

  40.         # If it fails to render, it must be something else
    41. 

  41.         my $out = eval { $child_processor->render_string( $template_string, $options ) };
    42. 

  42.         return $out ? $out : $template_string;
    43. 

  43.     };
    44. 

  44. 

  45.     $renderers{$template_dir} //= Text::Xslate->new(
    46. 

  46.         path     => $template_dir,
    47. 

  47.         function => {
    48. 

  48.             render_it => $options{child_renderer},
    49. 

  49.         },
    50. 

  50.     );
    51. 

  51. 

  52.     my $code = $options{code};
    53. 

  53.     my $body = encode_utf8( $renderers{$template_dir}->render( $options{template}, $options{data} ) );
    54. 

  54. 

  55.     # Users can supply a post_processor to futz with the output (such as with minifiers) if they wish.
    56. 

  56.     $body = $options{post_processor}->($body) if $options{post_processor} && ref $options{post_processor} eq 'CODE';
    57. 

  57. 

  58.     # Users can supply custom headers as part of the data in options.
    59. 

  59.     my %headers = headers( \%options, $body );
    60. 

  60. 

  61.     return $body if $options{component};
    62. 

  62.     return [ $code, [%headers], [$body] ] unless $options{deflate};
    63. 

  63. 

  64.     $headers{"Content-Encoding"} = "gzip";
    65. 

  65.     my $dfh;
    66. 

  66.     IO::Compress::Gzip::gzip( \$body => \$dfh );
    67. 

  67.     print $IO::Compress::Gzip::GzipError if $IO::Compress::Gzip::GzipError;
    68. 

  68.     $headers{"Content-Length"} = length($dfh);
    69. 

  69. 

  70.     return [ $code, [%headers], [$dfh] ];
    71. 

  71. }
    72. 

  72. 

  73. sub headers ( $options, $body ) {
    74. 

  74.     my $query   = $options->{data};
    75. 

  75.     my $uh      = ref $options->{headers} eq 'HASH'      ? $options->{headers}        : {};
    76. 

  76.     my $ct      = $options->{contenttype} eq 'text/html' ? "text/html; charset=UTF-8" : "$options->{contenttype};";
    77. 

  77.     my %headers = (
    78. 

  78.         'Content-Type'           => $ct,
    79. 

  79.         'Content-Length'         => length($body),
    80. 

  80.         'Cache-Control'          => $query->{cachecontrol} // $Trog::Vars::cache_control{revalidate},
    81. 

  81.         'X-Content-Type-Options' => 'nosniff',
    82. 

  82.         'Vary'                   => 'Accept-Encoding',
    83. 

  83.         'Server-Timing'          => "render;dur=" . ( tv_interval( $query->{start} ) * 1000 ),
    84. 

  84.         %$uh,
    85. 

  85.     );
    86. 

  86. 

  87.     #Disallow framing UNLESS we are in embed mode
    88. 

  88.     my $ancestor = $query->{domain} || 'none';
    89. 

  89.     $headers{"Content-Security-Policy"} = qq{frame-ancestors '$ancestor'} unless $query->{embed};
    90. 

  90. 

  91.     $headers{'X-Frame-Options'} = 'DENY' unless $query->{embed};
    92. 

  92.     $headers{'Referrer-Policy'} = 'no-referrer-when-downgrade';
    93. 

  93. 

  94.     #CSP. Yet another layer of 'no mixed content' plus whitelisted execution of remote resources.
    95. 

  95.     my $scheme = $query->{scheme} ? "$query->{scheme}:" : '';
    96. 

  96. 

  97.     my $conf  = Trog::Config::get();
    98. 

  98.     my $sites = $conf->param('security.allow_embeds_from') // '';
    99. 

  99.     $headers{'Content-Security-Policy'} .= ";default-src $scheme 'self' 'unsafe-eval' 'unsafe-inline' $sites";
    100. 

  100.     $headers{'Content-Security-Policy'} .= ";object-src 'none'";
    101. 

  101. 

  102.     # Force https if we are https
    103. 

  103.     $headers{'Strict-Transport-Security'} = 'max-age=63072000' if ( $query->{scheme} // '' ) eq 'https';
    104. 

  104. 

  105.     # We only set etags when users are logged in, cause we don't use statics
    106. 

  106.     $headers{'ETag'} = $query->{etag} if $query->{etag} && $query->{user};
    107. 

  107. 

  108.     return %headers;
    109. 

  109. }
    110. 

  110. 

  111. 1;
    112.