Fix renderer XSS/routing bugs and restore CLI fetch-deps

Renderer (app/index.html): - Guard the router so navigateTo and the hashchange/popstate handlers only load relative .md paths (isSafePagePath). Blocks fetching attacker- controlled external URLs injected via the location hash. - Stop treating in-page heading anchors (#heading) as page files, which previously replaced the page with a 404. - HTML-escape meta.title, link href/title attributes, not-found/offline messages, and the icon fallback img; block javascript:/data: hrefs via safeUrl. - Hydrate mdcms tags nested inside tabs/accordions/callouts. - Configure marked once instead of on every render. - Validate stored theme value; fix text-align center; resolve per-category offline message after categories initialise. CLI (mdcms.py): - Restore CDN_DEPS, _WOFF2_URL_RE, _fetch_bunny_fonts, _patch_index_html so fetch-deps no longer raises NameError. - Compare site markers against SITE_FORMAT_VERSION with zero-padded version comparison, removing the spurious "update available" warning on v0.6 sites. - Bump CLI to 0.6.1. https://claude.ai/code/session_018KXUwmSNMGF2UBywTChCcS
2026-06-18 15:24:32 +00:00 · 2026-06-12 07:07:15 +00:00 · 2026-06-12 07:07:15 +00:00 · df0f179004
commit df0f179004
parent a25829984d
4 changed files with 280 additions and 46 deletions
--- a/app/index.html
+++ b/app/index.html
@ -901,7 +901,7 @@ body {
  background: var(--bg);
  color: var(--font-colour);
  font-size: 0.85rem;
-  text-align: centre;
+  text-align: center;
 }

 .post-load-more {
@ -1143,7 +1143,15 @@ body {
    const span = document.createElement('span');
    span.className = 'mdcms-icon' + (className ? ' ' + className : '');
    const filename = normaliseIconName(name);
-    span.innerHTML = svg || '<img src="assets/icons/' + filename + '" alt="[missing: ' + filename + ']" style="width:1em;height:1em;display:inline-block;">';
+    if (svg) {
+      span.innerHTML = svg;
+    } else {
+      const img = document.createElement('img');
+      img.src = 'assets/icons/' + encodeURIComponent(filename);
+      img.alt = '[missing: ' + filename + ']';
+      img.style.cssText = 'width:1em;height:1em;display:inline-block;';
+      span.appendChild(img);
+    }
    return span;
  }

@ -1169,6 +1177,31 @@ body {
    return text.toLowerCase().replace(/[^\w\s-]/g, '').replace(/\s+/g, '-').replace(/-+/g, '-').trim();
  }

+  function escapeHtml(s) {
+    return String(s == null ? '' : s).replace(/[&<>"']/g, function(c) {
+      return { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[c];
+    });
+  }
+
+  // Reject hrefs with dangerous schemes (javascript:, data:, vbscript:).
+  function safeUrl(url) {
+    var u = String(url == null ? '' : url).trim();
+    if (/^[a-z][a-z0-9+.\-]*:/i.test(u)) {
+      if (/^(https?|mailto|tel|ftp):/i.test(u)) return u;
+      return '#';
+    }
+    return u; // relative URL or fragment
+  }
+
+  // A routable page file is a relative .md path with no scheme or traversal.
+  // Heading-anchor hashes (no .md) and external URLs both fail this check.
+  function isSafePagePath(file) {
+    return typeof file === 'string'
+      && /^[\w./-]+\.md$/.test(file)
+      && !file.includes('..')
+      && file[0] !== '/';
+  }
+
  function parseFrontmatter(md) {
    const match = md.match(/^---\s*\n([\s\S]*?)\n---\s*\n/);
    if (!match) return { meta: {}, body: md };
@ -1397,7 +1430,7 @@ body {

  function getInitialTheme() {
    const saved = localStorage.getItem('md-cms-theme');
-    if (saved) return saved;
+    if (saved === 'light' || saved === 'dark') return saved;
    const def = config['default-theme'] || 'system';
    if (def === 'system') {
      return window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light';
@ -1583,7 +1616,9 @@ body {
  }

  // ─── Markdown ─────────────────────────────────────────────
-  function renderMarkdown(mdBody) {
+  let _markedConfigured = false;
+  function configureMarked() {
+    if (_markedConfigured) return;
    marked.setOptions({ gfm: true, breaks: false, headerIds: true, mangle: false });
    const renderer = new marked.Renderer();

@ -1603,13 +1638,14 @@ body {
      }
      const isExternal = linkHref && (linkHref.startsWith('http://') || linkHref.startsWith('https://'));
      const isMd = linkHref && linkHref.endsWith('.md');
+      const titleAttr = linkTitle ? ` title="${escapeHtml(linkTitle)}"` : '';
      if (isExternal) {
-        return `<a href="${linkHref}" target="_blank" rel="noopener noreferrer"${linkTitle ? ` title="${linkTitle}"` : ''}>${linkText}</a>`;
+        return `<a href="${escapeHtml(safeUrl(linkHref))}" target="_blank" rel="noopener noreferrer"${titleAttr}>${linkText}</a>`;
      }
      if (isMd) {
-        return `<a href="#${linkHref}" data-internal="true"${linkTitle ? ` title="${linkTitle}"` : ''}>${linkText}</a>`;
+        return `<a href="#${escapeHtml(linkHref)}" data-internal="true"${titleAttr}>${linkText}</a>`;
      }
-      return `<a href="${linkHref}"${linkTitle ? ` title="${linkTitle}"` : ''}>${linkText}</a>`;
+      return `<a href="${escapeHtml(safeUrl(linkHref))}"${titleAttr}>${linkText}</a>`;
    };

    renderer.code = function(code, lang, escaped) {
@ -1637,6 +1673,11 @@ body {
    };

    marked.use({ renderer });
+    _markedConfigured = true;
+  }
+
+  function renderMarkdown(mdBody) {
+    configureMarked();
    return marked.parse(mdBody);
  }

@ -2400,7 +2441,18 @@ function fmtDatetime(dtStr) {
  }

  function hydrateMdcmsTags() {
-    document.querySelectorAll('.mdcms-tag').forEach(function(tagEl) {
+    // Rendering a tag (tab/accordion/callout) can emit further .mdcms-tag
+    // elements in its body, so keep sweeping until none are left. A processed
+    // marker and an iteration cap guard against runaway loops.
+    var MAX_PASSES = 10;
+    for (var pass = 0; pass < MAX_PASSES; pass++) {
+      var pending = Array.prototype.filter.call(
+        document.querySelectorAll('.mdcms-tag'),
+        function(t) { return !t.hasAttribute('data-mdcms-hydrated'); }
+      );
+      if (!pending.length) break;
+      pending.forEach(function(tagEl) {
+        tagEl.setAttribute('data-mdcms-hydrated', '');
        try {
          var cfg = JSON.parse(tagEl.getAttribute('data-config'));
          if (/^callout-(info|warning|success|error)$/.test(cfg.tagName)) {
@ -2419,6 +2471,7 @@ function fmtDatetime(dtStr) {
        }
      });
    }
+  }

  // ─── Shell ────────────────────────────────────────────────
  function buildSidebar() {
@ -3068,8 +3121,17 @@ function fmtDatetime(dtStr) {

  // ─── Page loading ─────────────────────────────────────────
  async function navigateTo(file) {
-    currentPage = file;
    const contentEl = document.getElementById('pageContent');
+
+    // Guard the router: only fetch relative .md paths. This blocks loading
+    // attacker-controlled external URLs (e.g. #https://evil/x.md) or traversal
+    // paths injected via the location hash.
+    if (!isSafePagePath(file)) {
+      contentEl.innerHTML = `<div class="error-message"><h2>Page not available</h2><p>${escapeHtml(pageNotFoundMessage())}</p></div>`;
+      return;
+    }
+
+    currentPage = file;
    highlightNav(file);

    // If the active category is "hidden" (no notfoundmessage, not visibilityifnocontent:visible)
@ -3115,8 +3177,8 @@ function fmtDatetime(dtStr) {
    if (!result.ok) {
      const offlineMsg = !navigator.onLine && localStorage.getItem('mdcms-offline');
      const bodyMsg = offlineMsg
-        ? `<p>${offlineMsg}</p>`
-        : `<p>${pageNotFoundMessage()}</p>`;
+        ? `<p>${escapeHtml(offlineMsg)}</p>`
+        : `<p>${escapeHtml(pageNotFoundMessage())}</p>`;
      contentEl.innerHTML = `<div class="error-message"><h2>Page not available</h2>${bodyMsg}</div>`;
      document.title = (config.sitename || 'MD-CMS');
      refreshCategoryBar();
@ -3127,9 +3189,9 @@ function fmtDatetime(dtStr) {
    const { meta, body } = parseFrontmatter(result.text);

    let html = `<div class="title-bar">
-      <span>${config.sitename || 'MD-CMS'}</span>
+      <span>${escapeHtml(config.sitename || 'MD-CMS')}</span>
      <span class="title-bar-sep">›</span>
-      <span>${meta.title || file}</span>
+      <span>${escapeHtml(meta.title || file)}</span>
    </div>`;
    html += '<div class="md-content">' + renderMarkdown(body) + '</div>';
    contentEl.innerHTML = html;
@ -3179,14 +3241,16 @@ function fmtDatetime(dtStr) {

  window.addEventListener('hashchange', () => {
    const page = getPageFromHash();
-    if (page && page !== currentPage) navigateTo(page);
+    // Ignore in-page heading anchors (e.g. #installation) — only route real .md
+    // pages. Without this, clicking a heading link wipes the page with a 404.
+    if (page && page !== currentPage && isSafePagePath(page)) navigateTo(page);
  });

  window.addEventListener('popstate', () => {
    const slug = window.location.pathname.replace(basePath, '').replace(/^\//, '').replace(/\/$/, '');
    const pathPage = slug ? resolveSlugToFile(slug) : null;
    const page = pathPage || getPageFromHash();
-    if (page && page !== currentPage) navigateTo(page);
+    if (page && page !== currentPage && isSafePagePath(page)) navigateTo(page);
  });

  // ─── Scroll to top ───────────────────────────────────────
@ -3219,6 +3283,11 @@ function fmtDatetime(dtStr) {
        } catch (e) { /* fall back to hardcoded CSS defaults */ }
      }

+      loadFonts(themeConfig);
+      initCategories();
+
+      // Resolve the offline message after initCategories(), which sets
+      // defaultCategoryCode — otherwise a per-category default is missed.
      const offlineMsgCfg = config['offline-message'];
      if (offlineMsgCfg) {
        const offlineText = typeof offlineMsgCfg === 'string'
@ -3227,9 +3296,6 @@ function fmtDatetime(dtStr) {
        if (offlineText) localStorage.setItem('mdcms-offline', offlineText);
      }

-      loadFonts(themeConfig);
-      initCategories();
-
      const iconsToPreload = [...STANDARD_ICONS];
      if (config['categories-selecticon']) iconsToPreload.push(config['categories-selecticon']);
      await Promise.all(iconsToPreload.map(name => loadIcon(name)));
--- a/docs/unreleased.md
+++ b/docs/unreleased.md
@ -4,6 +4,43 @@ Changes merged into `development` that have not yet been released to `main`.

 ---

+## Security & bug fixes (v0.6.1)
+
+### Renderer (`app/index.html`)
+
+- **Router now rejects unsafe page paths.** `navigateTo` and the
+  `hashchange`/`popstate` handlers only load relative `.md` paths via a new
+  `isSafePagePath` check. Previously a crafted link such as
+  `#https://evil.example/x.md` made the renderer fetch and render an
+  attacker-controlled document on the site's own origin (stored/reflected XSS).
+- **In-page heading anchors no longer 404.** A markdown link to `#some-heading`
+  used to be treated as a page file and blew the page away with a
+  "Page not available" error; such hashes are now ignored by the router so the
+  browser scrolls to the heading.
+- **Escaped untrusted interpolation.** `meta.title` (title bar), link `href`
+  and `title` attributes, the page-not-found / offline messages, and the icon
+  fallback `<img>` are now HTML-escaped. Link hrefs with `javascript:`,
+  `data:`, and other non-allowlisted schemes are neutralised via `safeUrl`.
+- **Nested `mdcms` tags now hydrate.** Tags emitted inside a tab, accordion, or
+  callout body (e.g. a post list inside a tab) are processed by re-sweeping
+  until none remain, instead of rendering as empty divs.
+- **`marked` is configured once** instead of re-registering the renderer on
+  every page render.
+- Stored `md-cms-theme` value is validated against `light`/`dark` before use;
+  fixed invalid `text-align: centre` → `center` on the pagination jump input;
+  per-category `offline-message` is now resolved after categories initialise.
+
+### CLI (`mdcms.py`)
+
+- **`mdcms fetch-deps` no longer crashes.** `CDN_DEPS`, `_WOFF2_URL_RE`,
+  `_fetch_bunny_fonts`, and `_patch_index_html` were lost in an earlier merge,
+  raising `NameError` on every invocation; they have been restored.
+- **No more spurious "update available" warning.** Site markers are compared
+  against a dedicated `SITE_FORMAT_VERSION` (with zero-padded version
+  comparison) rather than `CLI_VERSION`, so a `v0.6` site no longer reports as
+  outdated against CLI `v0.6.x`, and CLI patch releases that share the site
+  format stay quiet.
+
 ## Tabs & Accordions (`app/index.html`)

 Four new `mdcms` fenced-block types for rich content layout. All four variants read from the active theme automatically — no new config keys, no per-theme overrides needed.
--- a/mdcms.py
+++ b/mdcms.py
@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# mdcms v0.6.0 — CLI companion
+# mdcms v0.6.1 — CLI companion
 #
 # Copyright 2026 Kristian Benestad
 #
@ -16,7 +16,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-"""MD-CMS v0.6.0 — CLI tool for managing and building MD-CMS sites."""
+"""MD-CMS v0.6.1 — CLI tool for managing and building MD-CMS sites."""

 import json
 import os
@ -32,8 +32,12 @@ import certifi
 import click
 import yaml

-CLI_VERSION = "0.6.0"
-CLI_RELEASE_DATE = "7 June 2026"
+CLI_VERSION = "0.6.1"
+CLI_RELEASE_DATE = "12 June 2026"
+# Site file-format version this CLI emits/expects. Distinct from CLI_VERSION:
+# many CLI releases share the same site format. Site markers are validated
+# against this, not against the CLI version.
+SITE_FORMAT_VERSION = "0.6"
 MIN_SUPPORTED_VERSION = "0.3"

 MARKER_RE = re.compile(r"mdcms v(\d+\.\d+)", re.IGNORECASE)
@ -55,6 +59,19 @@ def _parse_ver(v: str) -> tuple:
    return tuple(int(x) for x in v.split("."))


+def _cmp_ver(a: str, b: str) -> int:
+    """Compare two dotted version strings, padding missing components with zeros.
+
+    Returns -1, 0, or 1. Padding means the site marker "0.6" and the CLI
+    version "0.6.0" compare equal rather than "0.6" being treated as older.
+    """
+    ta, tb = _parse_ver(a), _parse_ver(b)
+    width = max(len(ta), len(tb))
+    ta += (0,) * (width - len(ta))
+    tb += (0,) * (width - len(tb))
+    return (ta > tb) - (ta < tb)
+
+
 def read_site_version(site_path: Path) -> "str | None":
    config = site_path / "config.yml"
    if not config.exists():
@ -69,14 +86,11 @@ def read_site_version(site_path: Path) -> "str | None":

 def version_status(site_version: str) -> "tuple[str, str]":
    """Returns (status_code, display_message). status_code: 'ok', 'outdated', 'unsupported', 'newer'."""
-    sv = _parse_ver(site_version)
-    min_sv = _parse_ver(MIN_SUPPORTED_VERSION)
-    cur = _parse_ver(CLI_VERSION)
-    if sv < min_sv:
+    if _cmp_ver(site_version, MIN_SUPPORTED_VERSION) < 0:
        return "unsupported", f"v{site_version} — below minimum supported v{MIN_SUPPORTED_VERSION}"
-    if sv < cur:
+    if _cmp_ver(site_version, SITE_FORMAT_VERSION) < 0:
        return "outdated", f"v{site_version} — update available (CLI is v{CLI_VERSION})"
-    if sv > cur:
+    if _cmp_ver(site_version, SITE_FORMAT_VERSION) > 0:
        return "newer", f"v{site_version} — site newer than CLI (consider upgrading mdcms)"
    return "ok", f"v{site_version}"

@ -703,7 +717,7 @@ def generate_site_manifest(site_path: Path):
                empty_dirs.append(str(rel).replace("\\", "/"))

    manifest: dict = {
-        "mdcms": read_site_version(site_path) or "0.4",
+        "mdcms": read_site_version(site_path) or SITE_FORMAT_VERSION,
        "files": files,
    }
    if empty_dirs:
@ -1033,6 +1047,123 @@ def build(name, path_override):
    click.echo(click.style("Build complete.", fg="green"))


+# ─── Dependency fetching (offline mode) ───────────────────────
+
+CDN_DEPS = [
+    (
+        "https://cdn.jsdelivr.net/npm/js-yaml@4.1.0/dist/js-yaml.min.js",
+        "assets/required/vendors/js-yaml.min.js",
+    ),
+    (
+        "https://cdn.jsdelivr.net/npm/marked@12.0.0/marked.min.js",
+        "assets/required/vendors/marked.min.js",
+    ),
+    (
+        "https://cdn.jsdelivr.net/npm/fuse.js@7.0.0/dist/fuse.min.js",
+        "assets/required/vendors/fuse.min.js",
+    ),
+    (
+        "https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.9.0/build/highlight.min.js",
+        "assets/required/vendors/highlight.min.js",
+    ),
+    (
+        "https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.9.0/build/styles/github.min.css",
+        "assets/required/vendors/github.min.css",
+    ),
+    (
+        "https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.9.0/build/styles/github-dark.min.css",
+        "assets/required/vendors/github-dark.min.css",
+    ),
+]
+
+_WOFF2_URL_RE = re.compile(
+    r"""url\(\s*['"]?(https://fonts\.bunny\.net/[^'"\s)]+\.woff2)['"]?\s*\)""",
+    re.IGNORECASE,
+)
+
+
+def _fetch_bunny_fonts(site_path: Path, theme_file: str) -> list:
+    """Download Bunny Fonts from theme.yml to assets/fonts/. Returns list of local CSS paths."""
+    theme_path = site_path / theme_file
+    if not theme_path.exists():
+        return []
+    try:
+        theme_data = yaml.safe_load(theme_path.read_text(encoding="utf-8")) or {}
+    except (OSError, yaml.YAMLError):
+        return []
+
+    fonts_dir = site_path / "assets" / "fonts"
+    fonts_dir.mkdir(parents=True, exist_ok=True)
+
+    seen: set = set()
+    local_css_paths: list = []
+
+    for key in ("font-body", "font-heading", "font-code"):
+        spec = theme_data.get(key)
+        if not spec:
+            continue
+        parts = str(spec).split(":")
+        if len(parts) < 3 or parts[0].strip().lower() != "bunny":
+            continue
+        name = parts[1].strip()
+        weight = parts[-1].strip()
+        font_id = f"{name}:{weight}"
+        if font_id in seen:
+            continue
+        seen.add(font_id)
+
+        bunny_url = f"https://fonts.bunny.net/css?family={name.replace(' ', '+')}:{weight}"
+        click.echo(f"  Fetching font: {name} {weight}")
+        try:
+            css_text = _http_get(bunny_url).decode("utf-8")
+        except Exception as e:
+            click.echo(click.style(f"  Warning: could not fetch {bunny_url}: {e}", fg="yellow"))
+            continue
+
+        def _rewrite(m: "re.Match") -> str:
+            woff2_url = m.group(1)
+            filename = woff2_url.split("/")[-1].split("?")[0]
+            dest = fonts_dir / filename
+            if not dest.exists():
+                try:
+                    dest.write_bytes(_http_get(woff2_url))
+                except Exception as e:
+                    click.echo(click.style(f"  Warning: could not fetch {woff2_url}: {e}", fg="yellow"))
+                    return m.group(0)
+            return f"url('../fonts/{filename}')"
+
+        local_css = _WOFF2_URL_RE.sub(_rewrite, css_text)
+        safe_name = name.lower().replace(" ", "-")
+        css_filename = f"{safe_name}-{weight}.css"
+        (fonts_dir / css_filename).write_text(local_css, encoding="utf-8")
+        local_css_paths.append(f"assets/fonts/{css_filename}")
+        click.echo(f"  Wrote assets/fonts/{css_filename}")
+
+    return local_css_paths
+
+
+def _patch_index_html(site_path: Path, local_font_css: list):
+    """Replace CDN tags with local paths and inject font link tags."""
+    index_path = site_path / "index.html"
+    if not index_path.exists():
+        raise click.ClickException("index.html not found in site directory.")
+
+    html = index_path.read_text(encoding="utf-8")
+
+    for cdn_url, local_path in CDN_DEPS:
+        html = html.replace(cdn_url, local_path)
+
+    if local_font_css:
+        links = "\n".join(
+            f'<link rel="stylesheet" href="{p}" data-mdcms-fonts="1">'
+            for p in local_font_css
+        )
+        html = html.replace("</head>", f"{links}\n</head>", 1)
+
+    index_path.write_text(html, encoding="utf-8")
+    click.echo("  Patched index.html")
+
+
@cli.command("fetch-deps")
@click.argument("name", required=False, default=None)
@click.option("--path", "path_override", default=None, type=click.Path(),
--- a/pyproject.toml
+++ b/pyproject.toml
@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

 [project]
 name = "mdcms"
-version = "0.6.0"
+version = "0.6.1"
 description = "MD-CMS — Markdown-based CMS companion CLI"
 readme = "README.md"
 license = { text = "Apache-2.0" }