[dashboard] Load project description from ajax and run through DOMPurify

This makes sure the Project Description on the dashboard runs through
DOMPurify. In order to do that, it was also necessary to move the description
from being loaded in a smarty template to being loaded from an AJAX call
(so that we can import the DOMPurify module.)

Fixes aces#8750

Makefile

@@ -64,3 +64,5 @@ login:
 mri_violations:
 	target=mri_violations npm run compile
 
+dashboard:
+	target=dashboard npm run compile

modules/dashboard/.gitignore

@@ -0,0 +1 @@
+js/welcome.js

modules/dashboard/jsx/welcome.js

@@ -0,0 +1,13 @@
+import DOMPurify from 'dompurify';
+
+window.addEventListener('load', () => {
+    fetch(loris.BaseURL + "/dashboard/projectdescription").then ( (resp) => {
+        if (!resp.ok) {
+            throw new Error('Could not get project description');
+        }
+        return resp.json();
+    }).then ( (json) => {
+      const el = document.getElementById("project-description");
+      el.innerHTML = DOMPurify.sanitize(json.Description);
+    }).catch( (e) => console.error(e));
+});

modules/dashboard/php/projectdescription.class.inc

@@ -0,0 +1,22 @@
+<?php
+namespace LORIS\dashboard;
+use \Psr\Http\Server\RequestHandlerInterface;
+use \Psr\Http\Message\ServerRequestInterface;
+use \Psr\Http\Message\ResponseInterface;
+
+/**
+ * Get the project description to display in the welcome widget.
+ *
+ * @license http://www.gnu.org/licenses/gpl-3.0.txt GPLv3
+ */
+
+class ProjectDescription extends \LORIS\Http\Endpoint
+{
+    public function handle(ServerRequestInterface $request) : ResponseInterface {
+        $desc = $this->loris->getConfiguration()->getSetting('projectDescription');
+        return new \LORIS\Http\Response\JSON\OK(['Description' => $desc]);
+    }
+    public function _hasAccess(\User $user) {
+        return true;
+    }
+}

modules/dashboard/templates/welcomebody.tpl

@@ -1,5 +1,4 @@
 <h3 class="welcome">Welcome, {$username}.</h3>
 <p class="pull-right small login-time">Last login: {$last_login}</p>
-{if !is_null($project_description)}
-<p class="project-description">{$project_description}</p>
-{/if}
+<p id="project-description" class="project-description"></p>
+<script src="/dashboard/js/welcome.js"></script>

php/libraries/NDB_Page.class.inc

@@ -743,20 +743,6 @@ class NDB_Page extends \LORIS\Http\Endpoint implements RequestHandlerInterface
             ->withBody(new \LORIS\Http\StringStream($this->display() ?? ""));
     }
 
-    /**
-     * This function can be overridden in a module's page to load the necessary
-     * resources to check the permissions of a user.
-     *
-     * @param User                   $user    The user to load the resources for
-     * @param ServerRequestInterface $request The PSR15 Request being handled
-     *
-     * @return void
-     */
-    public function loadResources(
-        \User $user, ServerRequestInterface $request
-    ) : void {
-    }
-
     /**
      * Displays the form
      *

src/Http/Endpoint.php

@@ -65,4 +65,18 @@ public function hasAccess(\User $user): bool
     {
         return !($user instanceof \LORIS\AnonymousUser);
     }
+
+    /**
+     * This function can be overridden in a module's page to load the necessary
+     * resources to check the permissions of a user.
+     *
+     * @param User                   $user    The user to load the resources for
+     * @param ServerRequestInterface $request The PSR15 Request being handled
+     *
+     * @return void
+     */
+    public function loadResources(
+        \User $user, ServerRequestInterface $request
+    ) : void {
+    }
 }

webpack.config.js

@@ -322,6 +322,7 @@ const lorisModules = {
   instruments: ['CandidateInstrumentList', 'ControlpanelDeleteInstrumentData'],
   candidate_profile: ['CandidateInfo'],
   api_docs: ['swagger-ui_custom'],
+  dashboard: ['welcome'],
 };
 for (const [key] of Object.entries(lorisModules)) {
   const target = process.env.target;