(HTML-safe) inline markdown for publisher description. (dart-lang#3608)

* (HTML-safe) inline markdown for publisher description.

* Test \r\n

* line breaks

* Fix XML/HTML check

* Replace newlines before sanitize

Author: isoos

app/lib/frontend/templates/_utils.dart

@@ -21,8 +21,10 @@ String renderFile(
   final content = file.text;
   if (content != null) {
     if (_isMarkdownFile(filename)) {
-      return markdownToHtml(content, baseUrl,
-          baseDir: p.dirname(filename), isChangelog: isChangelog);
+      return markdownToHtml(content,
+          baseUrl: baseUrl,
+          baseDir: p.dirname(filename),
+          isChangelog: isChangelog);
     } else if (_isDartFile(filename)) {
       return _renderDartCode(content);
     } else {
@@ -45,7 +47,7 @@ bool _isMarkdownFile(String filename) {
 bool _isDartFile(String filename) => filename.toLowerCase().endsWith('.dart');
 
 String _renderDartCode(String text) =>
-    markdownToHtml('````dart\n${text.trim()}\n````\n', null);
+    markdownToHtml('````dart\n${text.trim()}\n````\n');
 
 String _renderPlainText(String text) =>
     '<div class="highlight"><pre>${_escapeAngleBrackets(text)}</pre></div>';

app/lib/frontend/templates/misc.dart

@@ -26,7 +26,7 @@ import 'layout.dart';
 String renderUnauthenticatedPage({String messageMarkdown}) {
   messageMarkdown ??= 'You need to be logged in to view this page.';
   final content = templateCache.renderTemplate('account/unauthenticated', {
-    'message_html': markdownToHtml(messageMarkdown, null),
+    'message_html': markdownToHtml(messageMarkdown),
   });
   return renderLayoutPage(
     PageType.standalone,
@@ -41,7 +41,7 @@ String renderUnauthenticatedPage({String messageMarkdown}) {
 String renderUnauthorizedPage({String messageMarkdown}) {
   messageMarkdown ??= 'You have insufficient permissions to view this page.';
   final content = templateCache.renderTemplate('account/unauthorized', {
-    'message_html': markdownToHtml(messageMarkdown, null),
+    'message_html': markdownToHtml(messageMarkdown),
   });
   return renderLayoutPage(
     PageType.standalone,
@@ -106,7 +106,7 @@ String _renderStandalonePageContent({
         'Only one of `contentHtml` and `contentMarkdown` must be specified.');
   }
 
-  contentHtml ??= markdownToHtml(contentMarkdown, null);
+  contentHtml ??= markdownToHtml(contentMarkdown);
   return templateCache.renderTemplate('page/standalone', {
     'content_html': contentHtml,
     'has_side_image': sideImageUrl != null,
@@ -118,7 +118,7 @@ String _renderStandalonePageContent({
 String renderErrorPage(String title, String message) {
   final values = {
     'title': title,
-    'message_html': markdownToHtml(message, null),
+    'message_html': markdownToHtml(message),
   };
   final String content = templateCache.renderTemplate('page/error', values);
   return renderLayoutPage(

app/lib/frontend/templates/package_analysis.dart

@@ -91,7 +91,7 @@ String _renderSuggestionBlockHtml(String header, List<Suggestion> suggestions) {
     return {
       'icon_class': _suggestionIconClass(suggestion.level),
       'title_html': _renderSuggestionTitle(suggestion.title, suggestion.score),
-      'description_html': markdownToHtml(suggestion.description, null),
+      'description_html': markdownToHtml(suggestion.description),
       'suggestion_help_html': getSuggestionHelpMessage(suggestion.code),
     };
   }).toList();
@@ -120,7 +120,7 @@ String _renderSuggestionTitle(String title, double score) {
   if (formattedScore != null) {
     title = '$title ($formattedScore)';
   }
-  return markdownToHtml(title, null);
+  return markdownToHtml(title);
 }
 
 String _formatSuggestionScore(double score) {

app/lib/frontend/templates/publisher.dart

@@ -7,6 +7,7 @@ import 'dart:convert';
 import 'package:client_data/publisher_api.dart' as api;
 import 'package:client_data/page_data.dart';
 import 'package:meta/meta.dart';
+import 'package:pub_dev/shared/markdown.dart';
 
 import '../../package/models.dart' show PackageView;
 import '../../publisher/models.dart' show Publisher;
@@ -74,7 +75,7 @@ String _shortDescriptionHtml(Publisher publisher) {
   if (description != null && description.length > 1010) {
     description = description.substring(0, 1000) + '[...]';
   }
-  return htmlEscape.convert(description);
+  return markdownToHtml(description, inlineOnly: true);
 }
 
 /// Renders the `views/publisher/info_box.mustache` template.

app/lib/search/text_utils.dart

@@ -41,7 +41,7 @@ String compactDescription(String text) => _compactText(text, maxLength: 500);
 
 String compactReadme(String text) {
   if (text == null || text.isEmpty) return '';
-  final html = markdownToHtml(text, null)
+  final html = markdownToHtml(text)
       .replaceAll('</li>', '\n</li>')
       .replaceAll('</p>', '\n</p>')
       .replaceAll('</ul>', '\n</ul>')

app/lib/shared/handler_helpers.dart

@@ -145,8 +145,7 @@ shelf.Handler _logRequestWrapper(Logger logger, shelf.Handler handler) {
       if (shouldLog) {
         logger.info('Caught response exception: $e');
       }
-      final content =
-          markdownToHtml('# Error `${e.code}`\n\n${e.message}\n', null);
+      final content = markdownToHtml('# Error `${e.code}`\n\n${e.message}\n');
       return htmlResponse(
         renderLayoutPage(PageType.package, content, title: 'Error ${e.code}'),
         status: e.status,
@@ -173,7 +172,7 @@ Request ID: ${context.traceId}
       ''';
 
       final content = renderLayoutPage(
-          PageType.package, markdownToHtml(markdownText, null),
+          PageType.package, markdownToHtml(markdownText),
           title: title);
       return htmlResponse(content, status: 500, headers: debugHeaders);
     } finally {

app/lib/shared/markdown.dart

@@ -15,6 +15,12 @@ final Logger _logger = Logger('pub.markdown');
 /// h4, h5 and h6 are considered formatting-only headers
 const _structuralHeaderTags = <String>{'h1', 'h2', 'h3'};
 
+/// Matches more than 1 line breaks.
+final _multiLineBreakRegExp = RegExp(r'\n{2,}');
+
+/// The element tags that are accepted when inline-only parsing is used.
+final _safeInlineTags = <String>{'em', 'strong'};
+
 const _whitelistedClassNames = <String>[
   'changelog-entry',
   'changelog-version',
@@ -24,27 +30,36 @@ const _whitelistedClassNames = <String>[
 ];
 
 /// Renders markdown [text] to HTML.
+///
+/// Setting [inlineOnly] not only restricts the processed rules to inline syntax,
+/// but it also restricts the accepted output elements to bold and italics
+/// formatting.
 String markdownToHtml(
-  String text,
-  String baseUrl, {
+  String text, {
+  String baseUrl,
   String baseDir,
   bool isChangelog = false,
+  bool inlineOnly = false,
 }) {
   if (text == null) return null;
-  var nodes = _parseMarkdownSource(text);
+  text = text.replaceAll('\r\n', '\n');
+  var nodes = _parseMarkdownSource(text, inlineOnly);
   nodes = _rewriteRelativeUrls(nodes, baseUrl: baseUrl, baseDir: baseDir);
   if (isChangelog) {
     nodes = _groupChangelogNodes(nodes).toList();
   }
-  return _renderSafeHtml(nodes);
+  return _renderSafeHtml(nodes, inlineOnly);
 }
 
 /// Parses markdown [source].
-List<m.Node> _parseMarkdownSource(String source) {
+List<m.Node> _parseMarkdownSource(String source, bool inlineOnly) {
   if (source == null) return null;
   final document = m.Document(
       extensionSet: m.ExtensionSet.gitHubWeb,
       blockSyntaxes: m.ExtensionSet.gitHubWeb.blockSyntaxes);
+  if (inlineOnly) {
+    return document.parseInline(source);
+  }
   final lines = source.replaceAll('\r\n', '\n').split('\n');
   return document.parseLines(lines);
 }
@@ -63,25 +78,48 @@ List<m.Node> _rewriteRelativeUrls(
 
 /// Renders sanitized, safe HTML from markdown nodes.
 /// Adds hash link HTML to header blocks.
-String _renderSafeHtml(List<m.Node> nodes) {
+String _renderSafeHtml(List<m.Node> nodes, bool inlineOnly) {
   // Filter unsafe urls on some of the elements.
-  final unsafeUrlFilter = _UnsafeUrlFilter();
-  nodes.forEach((node) => node.accept(unsafeUrlFilter));
+  nodes.forEach((node) => node.accept(_UnsafeUrlFilter()));
+
+  if (inlineOnly) {
+    _keepOnlyInlineElements(nodes);
+  }
 
   // add hash link HTML to header blocks
   final hashLink = _HashLink();
   nodes.forEach((node) => node.accept(hashLink));
 
+  var rawHtml = m.renderToHtml(nodes);
+  if (inlineOnly) {
+    rawHtml = rawHtml.replaceAll(_multiLineBreakRegExp, '<br />\n');
+  }
+
   // Renders the sanitized HTML.
   final html = sanitizeHtml(
-    m.renderToHtml(nodes),
+    rawHtml,
     allowElementId: (String id) => true, // TODO: blacklist ids used by pub site
     allowClassName: (String cn) {
       if (cn.startsWith('language-')) return true;
       return _whitelistedClassNames.contains(cn);
     },
   );
-  return html + '\n';
+  return inlineOnly ? html : '$html\n';
+}
+
+void _keepOnlyInlineElements(List<m.Node> nodes) {
+  if (nodes == null) return;
+  for (var i = nodes.length - 1; i >= 0; i--) {
+    final node = nodes[i];
+    if (node is! m.Element) continue;
+
+    final elem = node as m.Element;
+    _keepOnlyInlineElements(elem.children);
+    if (!_safeInlineTags.contains(elem.tag)) {
+      nodes.replaceRange(i, i + 1, [m.Text(elem.textContent)]);
+      continue;
+    }
+  }
 }
 
 /// Adds an extra <a href="#hash">#</a> element to h1, h2 and h3 elements.

app/test/frontend/golden/publisher_packages_page.html

@@ -200,8 +200,9 @@ <h3 class="title">
           <aside class="detail-info-box">
             <h3 class="title">Description</h3>
             <p>This is our little software developer shop.
-
-We develop full-stack in Dart, and happy about it.</p>
+              <br/>
+We develop full-stack in Dart, and happy about it.
+            </p>
             <h3 class="title">Publisher</h3>
             <p>
               <img class="-pub-publisher-shield" height="22" width="22" title="Domain ownership verified by pub.dev" src="/static/img/verified-publisher-blue.svg?hash=mocked_hash_919645162"/>example.com