Merge pull request #7712 from roc-lang/html-security-fix

Html security fix, fix simple-http-server nix

Author: Anton-4

devtools/smart_diff_utrace.html

@@ -161,62 +161,89 @@ <h1>Text Comparison Tool</h1>
         function processTrace(trace, otherTrace, resultId) {
             const lines = trace.trim().split('\n');
             const otherLines = otherTrace.trim().split('\n');
-            let contentHtml = '';
-            let lineNumbersHtml = '';
-            let indentLevel = 0;
-            let blockStartLine = -1;
+            const container = document.createElement('div');
+            const lineNumbersDiv = document.createElement('div');
+            const contentAreaDiv = document.createElement('div');
 
+            lineNumbersDiv.className = 'line-numbers';
+            contentAreaDiv.className = 'content-area';
+            container.appendChild(lineNumbersDiv);
+            container.appendChild(contentAreaDiv);
+
             // Generate line numbers
             for (let i = 1; i <= lines.length; i++) {
-                lineNumbersHtml += `${i}\n`;
+                const lineNum = document.createElement('div');
+                lineNum.textContent = i;
+                lineNumbersDiv.appendChild(lineNum);
             }
-            
+
+            let indentLevel = 0;
+            let currentBlock = contentAreaDiv;
+
             for (let i = 0; i < lines.length; i++) {
                 const line = lines[i].trim();
                 const shouldHighlight = !otherLines.some(otherLine => otherLine.trim() === line);
                 const highlightClass = shouldHighlight ? 'highlight' : '';
-
                 const isBlockStart = line.endsWith('{') && i < lines.length - 1;
-                
+
                 if (isBlockStart) {
-                    blockStartLine = i;
-                    const functionName = line;
-                    contentHtml += `<div class="function-block" style="margin-left: ${indentLevel * 20}px">
-                        <div class="function-header ${highlightClass}">
-                            <span class="toggle-btn">▼</span>
-                            <span class="function-name">${functionName}</span>
-                        </div>
-                        <div class="function-content">`;
+                    const functionBlock = document.createElement('div');
+                    const header = document.createElement('div');
+                    const toggleBtn = document.createElement('span');
+                    const functionName = document.createElement('span');
+                    const content = document.createElement('div');
+
+                    functionBlock.className = 'function-block';
+                    functionBlock.style.marginLeft = `${indentLevel * 20}px`;
+                    header.className = `function-header ${highlightClass}`;
+                    toggleBtn.className = 'toggle-btn';
+                    toggleBtn.textContent = '▼';
+                    functionName.className = 'function-name';
+                    functionName.textContent = line;
+                    content.className = 'function-content';
+
+                    header.appendChild(toggleBtn);
+                    header.appendChild(functionName);
+                    functionBlock.appendChild(header);
+                    functionBlock.appendChild(content);
+                    currentBlock.appendChild(functionBlock);
+
                     indentLevel++;
+                    currentBlock = content;
                 } else if (line.includes('}')) {
                     if (indentLevel > 0) {
                         indentLevel--;
-                        contentHtml += `</div><span class="function-end ${highlightClass}">${line}</span></div>`;
+                        const endSpan = document.createElement('span');
+                        endSpan.className = `function-end ${highlightClass}`;
+                        endSpan.textContent = line;
+                        currentBlock.appendChild(endSpan);
+                        currentBlock = currentBlock.parentElement.parentElement; // Move up to parent block
                     } else {
-                        contentHtml += `<div class="line ${highlightClass}">${line}</div>`;
+                        const lineDiv = document.createElement('div');
+                        lineDiv.className = `line ${highlightClass}`;
+                        lineDiv.textContent = line;
+                        currentBlock.appendChild(lineDiv);
                     }
                 } else {
-                    const isLastLineBlock = line.endsWith('{') && i === lines.length - 1;
-                    if (isLastLineBlock) {
-                        contentHtml += `<div class="line ${highlightClass}">${line}</div>`;
-                    } else {
-                        contentHtml += `<div class="line ${highlightClass}">${line}</div>`;
-                    }
+                    const lineDiv = document.createElement('div');
+                    lineDiv.className = `line ${highlightClass}`;
+                    lineDiv.textContent = line;
+                    currentBlock.appendChild(lineDiv);
                 }
             }
-            
-            return `<div class="line-numbers">${lineNumbersHtml}</div><div class="content-area">${contentHtml}</div>`;
+
+            return container;
         }
 
         function initializeCollapsible(containerId) {
             const container = document.getElementById(containerId);
             const functionBlocks = container.querySelectorAll('.function-block');
-            
+
             functionBlocks.forEach(block => {
                 const header = block.querySelector('.function-header');
                 const toggleBtn = block.querySelector('.toggle-btn');
-                
-                header.addEventListener('click', (e) => {
+
+                header.addEventListener('click', () => {
                     block.classList.toggle('collapsed');
                     toggleBtn.textContent = block.classList.contains('collapsed') ? '▶' : '▼';
                 });
@@ -227,8 +254,13 @@ <h1>Text Comparison Tool</h1>
             const trace1 = document.getElementById('input1').value;
             const trace2 = document.getElementById('input2').value;
 
-            document.getElementById('result1').innerHTML = processTrace(trace1, trace2, 'result1');
-            document.getElementById('result2').innerHTML = processTrace(trace2, trace1, 'result2');
+            const result1 = document.getElementById('result1');
+            const result2 = document.getElementById('result2');
+            result1.innerHTML = ''; // Clear previous content
+            result2.innerHTML = ''; // Clear previous content
+
+            result1.appendChild(processTrace(trace1, trace2, 'result1'));
+            result2.appendChild(processTrace(trace2, trace1, 'result2'));
 
             initializeCollapsible('result1');
             initializeCollapsible('result2');

flake.nix

@@ -97,6 +97,7 @@
 
           zls # zig language server
           watchexec
+          simple-http-server # to view the website locally
         ]);
 
         aliases = ''

nix/simple-http-server.nix

@@ -1,16 +1,33 @@
-{ rustPlatform, fetchFromGitHub }:
+{
+  lib,
+  stdenv,
+  rustPlatform,
+  fetchFromGitHub,
+  pkg-config,
+  openssl,
+  darwin,
+}:
 
-rustPlatform.buildRustPackage {
+rustPlatform.buildRustPackage rec {
   pname = "simple-http-server";
   version = "0.1.0";  # adjust version as needed
 
   src = fetchFromGitHub {
     owner = "Anton-4";
     repo = "simple-http-server";
     rev = "f3089e5736a1e8abdb69ba9e7618fe5e518a2df0";
+    sha256 = "sha256-Vcckv75hmJV7F9mqPtM3piSIZg9MvKI/oU7/tv4viy4=";
   };
 
   cargoLock = {
     lockFile = "${src}/Cargo.lock";
   };
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs =
+    [ openssl ]
+    ++ lib.optionals stdenv.hostPlatform.isDarwin [
+      darwin.apple_sdk.frameworks.Security
+    ];
 }

www/README.md

@@ -20,6 +20,8 @@ bash ./www/build-dev-local.sh
 
 Open http://0.0.0.0:8080 in your browser.
 
+If you want to build the repl as well, check out crates/repl_wasm/README.md.
+
 ## After you've made a change locally
 
 In the terminal where the web server is running:

www/public/site.js

@@ -351,18 +351,31 @@ function createHistoryEntry(inputText) {
   const historyIndex = repl.inputHistory.length;
   repl.inputHistory.push(inputText);
 
-  const firstLinePrefix = '<span class="input-line-prefix">» </span>';
-  const otherLinePrefix = '<br><span class="input-line-prefix">… </span>';
-  const inputLines = inputText.split("\n");
-  if (inputLines[inputLines.length - 1] === "") {
-    inputLines.pop();
-  }
-  const inputWithPrefixes = firstLinePrefix + inputLines.join(otherLinePrefix);
-
   const inputElem = document.createElement("div");
-  inputElem.innerHTML = inputWithPrefixes;
   inputElem.classList.add("input");
 
+  const inputLines = inputText.split("\n").filter(line => line !== ""); // Remove empty last line if present
+  
+  inputLines.forEach((line, index) => {
+      if (index > 0) {
+          // Add line break for subsequent lines
+          inputElem.appendChild(document.createElement("br"));
+          const prefixSpan = document.createElement("span");
+          prefixSpan.className = "input-line-prefix";
+          prefixSpan.textContent = "… ";
+          inputElem.appendChild(prefixSpan);
+      } else {
+          // First line prefix
+          const prefixSpan = document.createElement("span");
+          prefixSpan.className = "input-line-prefix";
+          prefixSpan.textContent = "» ";
+          inputElem.appendChild(prefixSpan);
+      }
+      
+      // Add the line text as plain text
+      inputElem.appendChild(document.createTextNode(line));
+  });
+
   const historyItem = document.createElement("div");
   historyItem.appendChild(inputElem);
   historyItem.classList.add("history-item");