lew/guestbook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: renames some options to be a little clearer, and fixes up the module

Browse source
This commit is contained in:
Lewis Wynne 2026-04-09 18:57:58 +01:00
parent 0534b315a3
commit 726fe55eb8
5 changed files with 212 additions and 199 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.env.example
View file

@ -14,7 +14,18 @@ BOOK_TELEGRAM_BOT_TOKEN=your-bot-token-here
BOOK_TELEGRAM_CHAT_ID=0 BOOK_TELEGRAM_CHAT_ID=0
# Enable honeypot field for spam prevention. # Enable honeypot field for spam prevention.
BOOK_HONEYPOT=true BOOK_ENABLE_HONEYPOT=true
# Allow new guestbook submissions. When false, the form is hidden and submissions are rejected.
BOOK_ENABLE_SUBMISSIONS=true
# Show website field in form and render website links in entries.
# When false, the input is hidden, submitted values are ignored, and existing links are not displayed.
BOOK_ENABLE_WEBSITE_LINKS=true
# Allow raw HTML/JS in entry names and message bodies. When false, HTML is escaped.
# Website URLs are always escaped regardless of this setting.
BOOK_ENABLE_HTML_INJECTION=true
# Maximum length for names. 0 for unlimited. # Maximum length for names. 0 for unlimited.
BOOK_MAX_NAME_LENGTH=50 BOOK_MAX_NAME_LENGTH=50
@ -25,16 +36,6 @@ BOOK_MAX_MESSAGE_LENGTH=1000
# Maximum length for website URLs. 0 for unlimited. # Maximum length for website URLs. 0 for unlimited.
BOOK_MAX_WEBSITE_LENGTH=100 BOOK_MAX_WEBSITE_LENGTH=100
# Allow new guestbook submissions. When false, the form is hidden and submissions are rejected.
BOOK_OPEN_REGISTRATION=true
# Show website field in submission form. When false, the input is hidden and submitted values are ignored.
BOOK_ENABLE_WEBSITE_FIELD=true
# Allow raw HTML/JS in entry names and message bodies. When false, HTML is escaped.
# Website URLs are always escaped regardless of this setting.
BOOK_ALLOW_HTML_INJECTION=true
# Separator between guestbook entries. # Separator between guestbook entries.
BOOK_SEPARATOR=------------------------------------------------------------ BOOK_SEPARATOR=------------------------------------------------------------

292
module.nix
View file

@ -30,124 +30,6 @@ in
description = "Site title shown in nav and page title."; description = "Site title shown in nav and page title.";
}; };
telegramChatId = mkOption {
type = types.int;
description = "Telegram chat ID for moderation messages.";
};
telegramBotTokenFile = mkOption {
type = types.path;
description = "Path to a file containing the Telegram bot token.";
};
honeypot = mkOption {
type = types.bool;
default = true;
description = "Enable honeypot field for spam prevention.";
};
maxNameLength = mkOption {
type = types.int;
default = 50;
description = "Maximum length for names. 0 for unlimited.";
};
maxMessageLength = mkOption {
type = types.int;
default = 1000;
description = "Maximum length for messages. 0 for unlimited.";
};
maxWebsiteLength = mkOption {
type = types.int;
default = 100;
description = "Maximum length for website URLs. 0 for unlimited.";
};
openRegistration = mkOption {
type = types.bool;
default = true;
description = "Allow new guestbook submissions. When false, the form is hidden and submissions are rejected.";
};
enableWebsiteField = mkOption {
type = types.bool;
default = true;
description = "Show website field in submission form. When false, the input is hidden and submitted values are ignored.";
};
allowHtmlInjection = mkOption {
type = types.bool;
default = true;
description = "Allow raw HTML/JS in entry names and message bodies. When false, HTML is escaped. Website URLs are always escaped.";
};
separator = mkOption {
type = types.str;
default = "------------------------------------------------------------";
description = "Separator between guestbook entries.";
};
style = mkOption {
type = types.str;
default = "";
description = "Custom CSS injected into a style tag. Use class names: .guestbook-form, .guestbook-prompt, .guestbook-label, .guestbook-input, .guestbook-textarea, .guestbook-button, .entry-header, .entry-name, .entry-website, .entry-body, .entry-separator";
};
styleFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to a CSS file. Takes precedence over style.";
};
formPrompt = mkOption {
type = types.str;
default = "If you visited my site, please sign my guestbook!";
description = "Text shown above the form.";
};
buttonText = mkOption {
type = types.str;
default = "sign";
description = "Submit button text.";
};
labelName = mkOption {
type = types.str;
default = "Your name:";
description = "Label for the name field.";
};
labelWebsite = mkOption {
type = types.str;
default = "Your website (optional):";
description = "Label for the website field.";
};
labelMessage = mkOption {
type = types.str;
default = "Your message:";
description = "Label for the message field.";
};
textareaRows = mkOption {
type = types.int;
default = 8;
description = "Number of rows for the message textarea.";
};
textareaCols = mkOption {
type = types.int;
default = 60;
description = "Number of columns for the message textarea.";
};
templateFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Custom HTML template file with {{title}}, {{form}}, and {{entries}} placeholders. Uses built-in default if null.";
};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
default = "guestbook"; default = "guestbook";
@ -168,6 +50,136 @@ in
description = "Domain for the Caddy virtual host."; description = "Domain for the Caddy virtual host.";
}; };
}; };
security = {
enableSubmissions = mkOption {
type = types.bool;
default = true;
description = "Allow new guestbook submissions. When false, the form is hidden and submissions are rejected.";
};
enableHtmlInjection = mkOption {
type = types.bool;
default = true;
description = "Allow raw HTML/JS in entry names and message bodies. When false, HTML is escaped. Website URLs are always escaped.";
};
enableWebsiteLinks = mkOption {
type = types.bool;
default = true;
description = "Show website field in form and render website links in entries. When false, the input is hidden, submitted values are ignored, and existing links are not displayed.";
};
enableHoneypot = mkOption {
type = types.bool;
default = true;
description = "Enable honeypot field for spam prevention.";
};
};
telegram = {
botTokenFile = mkOption {
type = types.path;
description = "Path to a file containing the Telegram bot token.";
};
chatId = mkOption {
type = types.int;
description = "Telegram chat ID for moderation messages.";
};
};
limits = {
name = mkOption {
type = types.int;
default = 50;
description = "Maximum length for names. 0 for unlimited.";
};
message = mkOption {
type = types.int;
default = 1000;
description = "Maximum length for messages. 0 for unlimited.";
};
website = mkOption {
type = types.int;
default = 100;
description = "Maximum length for website URLs. 0 for unlimited.";
};
};
styles = {
css = mkOption {
type = types.str;
default = "";
description = "Custom CSS injected into a style tag. Use class names: .guestbook-form, .guestbook-prompt, .guestbook-label, .guestbook-input, .guestbook-textarea, .guestbook-button, .entry-header, .entry-name, .entry-website, .entry-body, .entry-separator";
};
cssFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to a CSS file. Takes precedence over css.";
};
templateFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Custom HTML template file with {{title}}, {{form}}, {{entries}}, and {{style}} placeholders. Uses built-in default if null.";
};
separator = mkOption {
type = types.str;
default = "------------------------------------------------------------";
description = "Separator between guestbook entries.";
};
greeting = mkOption {
type = types.str;
default = "If you visited my site, please sign my guestbook!";
description = "Text shown above the form.";
};
labels = {
submit = mkOption {
type = types.str;
default = "sign";
description = "Submit button text.";
};
name = mkOption {
type = types.str;
default = "Your name:";
description = "Label for the name field.";
};
website = mkOption {
type = types.str;
default = "Your website (optional):";
description = "Label for the website field.";
};
message = mkOption {
type = types.str;
default = "Your message:";
description = "Label for the message field.";
};
};
message = {
rows = mkOption {
type = types.int;
default = 8;
description = "Number of rows for the message textarea.";
};
cols = mkOption {
type = types.int;
default = 60;
description = "Number of columns for the message textarea.";
};
};
};
}; };
config = mkIf cfg.enable (mkMerge [ config = mkIf cfg.enable (mkMerge [
@ -182,27 +194,27 @@ in
BOOK_DATA_DIR = cfg.dataDir; BOOK_DATA_DIR = cfg.dataDir;
BOOK_SITE_TITLE = cfg.siteTitle; BOOK_SITE_TITLE = cfg.siteTitle;
BOOK_TELEGRAM_CHAT_ID = toString cfg.telegramChatId; BOOK_TELEGRAM_CHAT_ID = toString cfg.telegram.chatId;
BOOK_HONEYPOT = if cfg.honeypot then "true" else "false"; BOOK_ENABLE_HONEYPOT = if cfg.security.enableHoneypot then "true" else "false";
BOOK_MAX_NAME_LENGTH = toString cfg.maxNameLength; BOOK_ENABLE_SUBMISSIONS = if cfg.security.enableSubmissions then "true" else "false";
BOOK_MAX_MESSAGE_LENGTH = toString cfg.maxMessageLength; BOOK_ENABLE_HTML_INJECTION = if cfg.security.enableHtmlInjection then "true" else "false";
BOOK_MAX_WEBSITE_LENGTH = toString cfg.maxWebsiteLength; BOOK_ENABLE_WEBSITE_LINKS = if cfg.security.enableWebsiteLinks then "true" else "false";
BOOK_OPEN_REGISTRATION = if cfg.openRegistration then "true" else "false"; BOOK_MAX_NAME_LENGTH = toString cfg.limits.name;
BOOK_ENABLE_WEBSITE_FIELD = if cfg.enableWebsiteField then "true" else "false"; BOOK_MAX_MESSAGE_LENGTH = toString cfg.limits.message;
BOOK_ALLOW_HTML_INJECTION = if cfg.allowHtmlInjection then "true" else "false"; BOOK_MAX_WEBSITE_LENGTH = toString cfg.limits.website;
BOOK_SEPARATOR = cfg.separator; BOOK_SEPARATOR = cfg.styles.separator;
BOOK_STYLE = cfg.style; BOOK_STYLE = cfg.styles.css;
} // lib.optionalAttrs (cfg.styleFile != null) { BOOK_FORM_PROMPT = cfg.styles.greeting;
BOOK_STYLE_FILE = cfg.styleFile; BOOK_BUTTON_TEXT = cfg.styles.labels.submit;
BOOK_FORM_PROMPT = cfg.formPrompt; BOOK_LABEL_NAME = cfg.styles.labels.name;
BOOK_BUTTON_TEXT = cfg.buttonText; BOOK_LABEL_WEBSITE = cfg.styles.labels.website;
BOOK_LABEL_NAME = cfg.labelName; BOOK_LABEL_MESSAGE = cfg.styles.labels.message;
BOOK_LABEL_WEBSITE = cfg.labelWebsite; BOOK_TEXTAREA_ROWS = toString cfg.styles.message.rows;
BOOK_LABEL_MESSAGE = cfg.labelMessage; BOOK_TEXTAREA_COLS = toString cfg.styles.message.cols;
BOOK_TEXTAREA_ROWS = toString cfg.textareaRows; } // lib.optionalAttrs (cfg.styles.cssFile != null) {
BOOK_TEXTAREA_COLS = toString cfg.textareaCols; BOOK_STYLE_FILE = cfg.styles.cssFile;
} // lib.optionalAttrs (cfg.templateFile != null) { } // lib.optionalAttrs (cfg.styles.templateFile != null) {
BOOK_TEMPLATE = cfg.templateFile; BOOK_TEMPLATE = cfg.styles.templateFile;
}; };
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
@ -216,7 +228,7 @@ in
ReadWritePaths = [ cfg.dataDir ]; ReadWritePaths = [ cfg.dataDir ];
}; };
script = '' script = ''
export BOOK_TELEGRAM_BOT_TOKEN="$(< "${cfg.telegramBotTokenFile}")" export BOOK_TELEGRAM_BOT_TOKEN="$(< "${cfg.telegram.botTokenFile}")"
exec ${cfg.package}/bin/guestbook exec ${cfg.package}/bin/guestbook
''; '';
}; };

44
src/config.rs
View file

@ -9,13 +9,13 @@ pub struct Config {
pub telegram_bot_token: String, pub telegram_bot_token: String,
pub telegram_chat_id: i64, pub telegram_chat_id: i64,
pub honeypot: bool, pub enable_honeypot: bool,
pub max_name_length: usize, pub max_name_length: usize,
pub max_message_length: usize, pub max_message_length: usize,
pub max_website_length: usize, pub max_website_length: usize,
pub open_registration: bool, pub enable_submissions: bool,
pub enable_website_field: bool, pub enable_website_links: bool,
pub allow_html_injection: bool, pub enable_html_injection: bool,
pub template: Option<String>, pub template: Option<String>,
pub separator: String, pub separator: String,
pub style: String, pub style: String,
@ -50,7 +50,7 @@ impl Config {
.map_err(|_| "BOOK_TELEGRAM_CHAT_ID is required")? .map_err(|_| "BOOK_TELEGRAM_CHAT_ID is required")?
.parse() .parse()
.map_err(|_| "BOOK_TELEGRAM_CHAT_ID must be an integer")?, .map_err(|_| "BOOK_TELEGRAM_CHAT_ID must be an integer")?,
honeypot: env::var("BOOK_HONEYPOT") enable_honeypot: env::var("BOOK_ENABLE_HONEYPOT")
.map(|v| v != "false") .map(|v| v != "false")
.unwrap_or(true), .unwrap_or(true),
max_name_length: env::var("BOOK_MAX_NAME_LENGTH") max_name_length: env::var("BOOK_MAX_NAME_LENGTH")
@ -65,13 +65,13 @@ impl Config {
.unwrap_or_else(|_| "100".into()) .unwrap_or_else(|_| "100".into())
.parse() .parse()
.map_err(|_| "BOOK_MAX_WEBSITE_LENGTH must be a number")?, .map_err(|_| "BOOK_MAX_WEBSITE_LENGTH must be a number")?,
open_registration: env::var("BOOK_OPEN_REGISTRATION") enable_submissions: env::var("BOOK_ENABLE_SUBMISSIONS")
.map(|v| v != "false") .map(|v| v != "false")
.unwrap_or(true), .unwrap_or(true),
enable_website_field: env::var("BOOK_ENABLE_WEBSITE_FIELD") enable_website_links: env::var("BOOK_ENABLE_WEBSITE_LINKS")
.map(|v| v != "false") .map(|v| v != "false")
.unwrap_or(true), .unwrap_or(true),
allow_html_injection: env::var("BOOK_ALLOW_HTML_INJECTION") enable_html_injection: env::var("BOOK_ENABLE_HTML_INJECTION")
.map(|v| v != "false") .map(|v| v != "false")
.unwrap_or(true), .unwrap_or(true),
separator: env::var("BOOK_SEPARATOR") separator: env::var("BOOK_SEPARATOR")
@ -167,60 +167,60 @@ mod tests {
} }
#[test] #[test]
fn test_enable_website_field_default() { fn test_enable_website_links_default() {
let _lock = ENV_LOCK.lock().unwrap(); let _lock = ENV_LOCK.lock().unwrap();
env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC"); env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC");
env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345"); env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345");
env::remove_var("BOOK_ENABLE_WEBSITE_FIELD"); env::remove_var("BOOK_ENABLE_WEBSITE_LINKS");
let config = Config::from_env().unwrap(); let config = Config::from_env().unwrap();
assert!(config.enable_website_field); assert!(config.enable_website_links);
env::remove_var("BOOK_TELEGRAM_BOT_TOKEN"); env::remove_var("BOOK_TELEGRAM_BOT_TOKEN");
env::remove_var("BOOK_TELEGRAM_CHAT_ID"); env::remove_var("BOOK_TELEGRAM_CHAT_ID");
} }
#[test] #[test]
fn test_enable_website_field_false() { fn test_enable_website_links_false() {
let _lock = ENV_LOCK.lock().unwrap(); let _lock = ENV_LOCK.lock().unwrap();
env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC"); env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC");
env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345"); env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345");
env::set_var("BOOK_ENABLE_WEBSITE_FIELD", "false"); env::set_var("BOOK_ENABLE_WEBSITE_LINKS", "false");
let config = Config::from_env().unwrap(); let config = Config::from_env().unwrap();
assert!(!config.enable_website_field); assert!(!config.enable_website_links);
env::remove_var("BOOK_TELEGRAM_BOT_TOKEN"); env::remove_var("BOOK_TELEGRAM_BOT_TOKEN");
env::remove_var("BOOK_TELEGRAM_CHAT_ID"); env::remove_var("BOOK_TELEGRAM_CHAT_ID");
env::remove_var("BOOK_ENABLE_WEBSITE_FIELD"); env::remove_var("BOOK_ENABLE_WEBSITE_LINKS");
} }
#[test] #[test]
fn test_allow_html_injection_default() { fn test_enable_html_injection_default() {
let _lock = ENV_LOCK.lock().unwrap(); let _lock = ENV_LOCK.lock().unwrap();
env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC"); env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC");
env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345"); env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345");
env::remove_var("BOOK_ALLOW_HTML_INJECTION"); env::remove_var("BOOK_ENABLE_HTML_INJECTION");
let config = Config::from_env().unwrap(); let config = Config::from_env().unwrap();
assert!(config.allow_html_injection); assert!(config.enable_html_injection);
env::remove_var("BOOK_TELEGRAM_BOT_TOKEN"); env::remove_var("BOOK_TELEGRAM_BOT_TOKEN");
env::remove_var("BOOK_TELEGRAM_CHAT_ID"); env::remove_var("BOOK_TELEGRAM_CHAT_ID");
} }
#[test] #[test]
fn test_allow_html_injection_false() { fn test_enable_html_injection_false() {
let _lock = ENV_LOCK.lock().unwrap(); let _lock = ENV_LOCK.lock().unwrap();
env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC"); env::set_var("BOOK_TELEGRAM_BOT_TOKEN", "123:ABC");
env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345"); env::set_var("BOOK_TELEGRAM_CHAT_ID", "12345");
env::set_var("BOOK_ALLOW_HTML_INJECTION", "false"); env::set_var("BOOK_ENABLE_HTML_INJECTION", "false");
let config = Config::from_env().unwrap(); let config = Config::from_env().unwrap();
assert!(!config.allow_html_injection); assert!(!config.enable_html_injection);
env::remove_var("BOOK_TELEGRAM_BOT_TOKEN"); env::remove_var("BOOK_TELEGRAM_BOT_TOKEN");
env::remove_var("BOOK_TELEGRAM_CHAT_ID"); env::remove_var("BOOK_TELEGRAM_CHAT_ID");
env::remove_var("BOOK_ALLOW_HTML_INJECTION"); env::remove_var("BOOK_ENABLE_HTML_INJECTION");
} }
} }

24
src/render.rs
View file

@ -20,7 +20,7 @@ pub fn render_page(template: &str, config: &Config, entries: &[Entry], form_html
} }
pub fn render_form(config: &Config) -> String { pub fn render_form(config: &Config) -> String {
let website_section = if config.enable_website_field { let website_section = if config.enable_website_links {
format!( format!(
"\n<label class=\"guestbook-label\">{}</label>\n<input class=\"guestbook-input\" name=\"website\">\n", "\n<label class=\"guestbook-label\">{}</label>\n<input class=\"guestbook-input\" name=\"website\">\n",
config.label_website config.label_website
@ -67,7 +67,7 @@ fn render_entries(entries: &[Entry], config: &Config) -> String {
} }
fn render_entry(entry: &Entry, config: &Config) -> String { fn render_entry(entry: &Entry, config: &Config) -> String {
let name = if config.allow_html_injection { let name = if config.enable_html_injection {
entry.meta.name.clone() entry.meta.name.clone()
} else { } else {
escape_html(&entry.meta.name) escape_html(&entry.meta.name)
@ -76,7 +76,7 @@ fn render_entry(entry: &Entry, config: &Config) -> String {
"<span class=\"entry-header\">{} - <span class=\"entry-name\">{}</span>", "<span class=\"entry-header\">{} - <span class=\"entry-name\">{}</span>",
entry.meta.date, name entry.meta.date, name
); );
if config.enable_website_field && !entry.meta.website.is_empty() { if config.enable_website_links && !entry.meta.website.is_empty() {
let website = escape_html(&entry.meta.website); let website = escape_html(&entry.meta.website);
header.push_str(&format!( header.push_str(&format!(
" (<a class=\"entry-website\" href=\"{}\">{}</a>)", " (<a class=\"entry-website\" href=\"{}\">{}</a>)",
@ -84,7 +84,7 @@ fn render_entry(entry: &Entry, config: &Config) -> String {
)); ));
} }
header.push_str("</span>"); header.push_str("</span>");
let body = if config.allow_html_injection { let body = if config.enable_html_injection {
entry.body.clone() entry.body.clone()
} else { } else {
escape_html(&entry.body) escape_html(&entry.body)
@ -109,13 +109,13 @@ mod tests {
telegram_bot_token: "fake".into(), telegram_bot_token: "fake".into(),
telegram_chat_id: 0, telegram_chat_id: 0,
honeypot: true, enable_honeypot: true,
max_name_length: 50, max_name_length: 50,
max_message_length: 1000, max_message_length: 1000,
max_website_length: 100, max_website_length: 100,
open_registration: true, enable_submissions: true,
enable_website_field: true, enable_website_links: true,
allow_html_injection: true, enable_html_injection: true,
template: None, template: None,
separator: "---".into(), separator: "---".into(),
style: String::new(), style: String::new(),
@ -234,7 +234,7 @@ mod tests {
#[test] #[test]
fn test_render_form_hides_website_when_disabled() { fn test_render_form_hides_website_when_disabled() {
let mut config = test_config(); let mut config = test_config();
config.enable_website_field = false; config.enable_website_links = false;
let form = render_form(&config); let form = render_form(&config);
assert!(!form.contains("name=\"website\"")); assert!(!form.contains("name=\"website\""));
assert!(!form.contains(&config.label_website)); assert!(!form.contains(&config.label_website));
@ -262,7 +262,7 @@ mod tests {
#[test] #[test]
fn test_render_entry_hides_website_when_disabled() { fn test_render_entry_hides_website_when_disabled() {
let mut config = test_config(); let mut config = test_config();
config.enable_website_field = false; config.enable_website_links = false;
let mut entry = make_entry("bob", "2026-04-09", "Hi!"); let mut entry = make_entry("bob", "2026-04-09", "Hi!");
entry.meta.website = "https://bob.com".into(); entry.meta.website = "https://bob.com".into();
let form = render_form(&config); let form = render_form(&config);
@ -274,7 +274,7 @@ mod tests {
#[test] #[test]
fn test_render_entry_escapes_html_when_injection_disabled() { fn test_render_entry_escapes_html_when_injection_disabled() {
let mut config = test_config(); let mut config = test_config();
config.allow_html_injection = false; config.enable_html_injection = false;
let entry = make_entry("<b>hacker</b>", "2026-04-09", "<script>alert('xss')</script>"); let entry = make_entry("<b>hacker</b>", "2026-04-09", "<script>alert('xss')</script>");
let form = render_form(&config); let form = render_form(&config);
let html = render_page(DEFAULT_TEMPLATE, &config, &[entry], &form); let html = render_page(DEFAULT_TEMPLATE, &config, &[entry], &form);
@ -286,7 +286,7 @@ mod tests {
#[test] #[test]
fn test_render_entry_preserves_html_when_injection_enabled() { fn test_render_entry_preserves_html_when_injection_enabled() {
let mut config = test_config(); let mut config = test_config();
config.allow_html_injection = true; config.enable_html_injection = true;
let entry = make_entry("carol", "2026-04-09", "<b>Bold</b>"); let entry = make_entry("carol", "2026-04-09", "<b>Bold</b>");
let form = render_form(&config); let form = render_form(&config);
let html = render_page(DEFAULT_TEMPLATE, &config, &[entry], &form); let html = render_page(DEFAULT_TEMPLATE, &config, &[entry], &form);

28
src/web.rs
View file

@ -37,7 +37,7 @@ pub fn router(state: Arc<AppState>) -> Router {
async fn index(State(state): State<Arc<AppState>>) -> Html<String> { async fn index(State(state): State<Arc<AppState>>) -> Html<String> {
let entries_dir = state.config.data_dir.join("entries"); let entries_dir = state.config.data_dir.join("entries");
let entries = entries::read_approved(&entries_dir); let entries = entries::read_approved(&entries_dir);
let form = if state.config.open_registration { let form = if state.config.enable_submissions {
render::render_form(&state.config) render::render_form(&state.config)
} else { } else {
String::new() String::new()
@ -56,19 +56,19 @@ async fn submit(
State(state): State<Arc<AppState>>, State(state): State<Arc<AppState>>,
Form(form): Form<SubmitForm>, Form(form): Form<SubmitForm>,
) -> Html<String> { ) -> Html<String> {
if !state.config.open_registration { if !state.config.enable_submissions {
return Html("Submissions are closed.".to_string()); return Html("Submissions are closed.".to_string());
} }
// Honeypot check — silently discard // Honeypot check — silently discard
if state.config.honeypot && !form.url.is_empty() { if state.config.enable_honeypot && !form.url.is_empty() {
return Html("Thanks! Your message is pending approval.".to_string()); return Html("Thanks! Your message is pending approval.".to_string());
} }
// Validation // Validation
let name = form.name.trim().to_string(); let name = form.name.trim().to_string();
let message = form.message.trim().to_string(); let message = form.message.trim().to_string();
let website = if state.config.enable_website_field { let website = if state.config.enable_website_links {
form.website.trim().to_string() form.website.trim().to_string()
} else { } else {
String::new() String::new()
@ -136,13 +136,13 @@ mod tests {
telegram_bot_token: "fake".into(), telegram_bot_token: "fake".into(),
telegram_chat_id: 0, telegram_chat_id: 0,
honeypot: true, enable_honeypot: true,
max_name_length: 50, max_name_length: 50,
max_message_length: 1000, max_message_length: 1000,
max_website_length: 100, max_website_length: 100,
open_registration: true, enable_submissions: true,
enable_website_field: true, enable_website_links: true,
allow_html_injection: true, enable_html_injection: true,
template: None, template: None,
separator: "---".into(), separator: "---".into(),
style: String::new(), style: String::new(),
@ -186,7 +186,7 @@ mod tests {
} }
#[tokio::test] #[tokio::test]
async fn test_open_registration_shows_form() { async fn test_enable_submissions_shows_form() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let config = test_config(dir.path()); let config = test_config(dir.path());
let (app, _rx) = test_app(config); let (app, _rx) = test_app(config);
@ -198,7 +198,7 @@ mod tests {
async fn test_closed_registration_hides_form() { async fn test_closed_registration_hides_form() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let mut config = test_config(dir.path()); let mut config = test_config(dir.path());
config.open_registration = false; config.enable_submissions = false;
let (app, _rx) = test_app(config); let (app, _rx) = test_app(config);
let html = get_index(&app).await; let html = get_index(&app).await;
assert!(!html.contains("action=\"/submit\"")); assert!(!html.contains("action=\"/submit\""));
@ -208,7 +208,7 @@ mod tests {
async fn test_closed_registration_rejects_submit() { async fn test_closed_registration_rejects_submit() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let mut config = test_config(dir.path()); let mut config = test_config(dir.path());
config.open_registration = false; config.enable_submissions = false;
let (app, _rx) = test_app(config); let (app, _rx) = test_app(config);
let (status, body) = post_form(&app, "name=test&message=hello").await; let (status, body) = post_form(&app, "name=test&message=hello").await;
assert_eq!(status, StatusCode::OK); assert_eq!(status, StatusCode::OK);
@ -234,7 +234,7 @@ mod tests {
async fn test_honeypot_disabled_allows_url_field() { async fn test_honeypot_disabled_allows_url_field() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let mut config = test_config(dir.path()); let mut config = test_config(dir.path());
config.honeypot = false; config.enable_honeypot = false;
let (app, _rx) = test_app(config); let (app, _rx) = test_app(config);
let (_, body) = post_form(&app, "name=user&message=hello&url=http://mysite.com").await; let (_, body) = post_form(&app, "name=user&message=hello&url=http://mysite.com").await;
assert!(body.contains("pending approval")); assert!(body.contains("pending approval"));
@ -313,7 +313,7 @@ mod tests {
async fn test_website_field_disabled_ignores_website() { async fn test_website_field_disabled_ignores_website() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let mut config = test_config(dir.path()); let mut config = test_config(dir.path());
config.enable_website_field = false; config.enable_website_links = false;
let (app, _rx) = test_app(config); let (app, _rx) = test_app(config);
let (_, body) = post_form(&app, "name=alice&message=hello&website=http://evil.com").await; let (_, body) = post_form(&app, "name=alice&message=hello&website=http://evil.com").await;
assert!(body.contains("pending approval")); assert!(body.contains("pending approval"));
@ -328,7 +328,7 @@ mod tests {
async fn test_website_field_disabled_hides_form_field() { async fn test_website_field_disabled_hides_form_field() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let mut config = test_config(dir.path()); let mut config = test_config(dir.path());
config.enable_website_field = false; config.enable_website_links = false;
let (app, _rx) = test_app(config); let (app, _rx) = test_app(config);
let html = get_index(&app).await; let html = get_index(&app).await;
assert!(!html.contains("name=\"website\"")); assert!(!html.contains("name=\"website\""));