From 32e9f4f7ed3f3129b7ea99a23feace7f1711f379 Mon Sep 17 00:00:00 2001
From: Dave MacFarlane <driusan@mcin.ca>
Date: Thu, 8 Jun 2023 14:01:38 -0400
Subject: [PATCH] [dashboard] Load project description from ajax and run
 through DOMPurify

This makes sure the Project Description on the dashboard runs through
DOMPurify. In order to do that, it was also necessary to move the description
from being loaded in a smarty template to being loaded from an AJAX call
(so that we can import the DOMPurify module.)

Fixes #8750
---
 Makefile                                      |  2 ++
 modules/dashboard/.gitignore                  |  1 +
 modules/dashboard/jsx/welcome.js              | 13 +++++++++++
 .../php/projectdescription.class.inc          | 22 +++++++++++++++++++
 modules/dashboard/templates/welcomebody.tpl   |  5 ++---
 php/libraries/NDB_Page.class.inc              | 14 ------------
 src/Http/Endpoint.php                         | 14 ++++++++++++
 webpack.config.js                             |  1 +
 8 files changed, 55 insertions(+), 17 deletions(-)
 create mode 100644 modules/dashboard/.gitignore
 create mode 100644 modules/dashboard/jsx/welcome.js
 create mode 100644 modules/dashboard/php/projectdescription.class.inc

diff --git a/Makefile b/Makefile
index acae120b91c..d7f7b8ff2f2 100755
--- a/Makefile
+++ b/Makefile
@@ -64,3 +64,5 @@ login:
 mri_violations:
 	target=mri_violations npm run compile
 
+dashboard:
+	target=dashboard npm run compile
diff --git a/modules/dashboard/.gitignore b/modules/dashboard/.gitignore
new file mode 100644
index 00000000000..408f23218b0
--- /dev/null
+++ b/modules/dashboard/.gitignore
@@ -0,0 +1 @@
+js/welcome.js
diff --git a/modules/dashboard/jsx/welcome.js b/modules/dashboard/jsx/welcome.js
new file mode 100644
index 00000000000..1cbbb4e6a0c
--- /dev/null
+++ b/modules/dashboard/jsx/welcome.js
@@ -0,0 +1,13 @@
+import DOMPurify from 'dompurify';
+
+window.addEventListener('load', () => {
+    fetch(loris.BaseURL + "/dashboard/projectdescription").then ( (resp) => {
+        if (!resp.ok) {
+            throw new Error('Could not get project description');
+        }
+        return resp.json();
+    }).then ( (json) => {
+      const el = document.getElementById("project-description");
+      el.innerHTML = DOMPurify.sanitize(json.Description);
+    }).catch( (e) => console.error(e));
+});
diff --git a/modules/dashboard/php/projectdescription.class.inc b/modules/dashboard/php/projectdescription.class.inc
new file mode 100644
index 00000000000..88ada9ded3f
--- /dev/null
+++ b/modules/dashboard/php/projectdescription.class.inc
@@ -0,0 +1,22 @@
+<?php
+namespace LORIS\dashboard;
+use \Psr\Http\Server\RequestHandlerInterface;
+use \Psr\Http\Message\ServerRequestInterface;
+use \Psr\Http\Message\ResponseInterface;
+
+/**
+ * Get the project description to display in the welcome widget.
+ *
+ * @license http://www.gnu.org/licenses/gpl-3.0.txt GPLv3
+ */
+
+class ProjectDescription extends \LORIS\Http\Endpoint
+{
+    public function handle(ServerRequestInterface $request) : ResponseInterface {
+        $desc = $this->loris->getConfiguration()->getSetting('projectDescription');
+        return new \LORIS\Http\Response\JSON\OK(['Description' => $desc]);
+    }
+    public function _hasAccess(\User $user) {
+        return true;
+    }
+}
diff --git a/modules/dashboard/templates/welcomebody.tpl b/modules/dashboard/templates/welcomebody.tpl
index 9eeda274f67..6b35be902b7 100644
--- a/modules/dashboard/templates/welcomebody.tpl
+++ b/modules/dashboard/templates/welcomebody.tpl
@@ -1,5 +1,4 @@
 <h3 class="welcome">Welcome, {$username}.</h3>
 <p class="pull-right small login-time">Last login: {$last_login}</p>
-{if !is_null($project_description)}
-<p class="project-description">{$project_description}</p>
-{/if}
+<p id="project-description" class="project-description"></p>
+<script src="/dashboard/js/welcome.js"></script>
diff --git a/php/libraries/NDB_Page.class.inc b/php/libraries/NDB_Page.class.inc
index 42079502def..3575f58206d 100644
--- a/php/libraries/NDB_Page.class.inc
+++ b/php/libraries/NDB_Page.class.inc
@@ -743,20 +743,6 @@ class NDB_Page extends \LORIS\Http\Endpoint implements RequestHandlerInterface
             ->withBody(new \LORIS\Http\StringStream($this->display() ?? ""));
     }
 
-    /**
-     * This function can be overridden in a module's page to load the necessary
-     * resources to check the permissions of a user.
-     *
-     * @param User                   $user    The user to load the resources for
-     * @param ServerRequestInterface $request The PSR15 Request being handled
-     *
-     * @return void
-     */
-    public function loadResources(
-        \User $user, ServerRequestInterface $request
-    ) : void {
-    }
-
     /**
      * Displays the form
      *
diff --git a/src/Http/Endpoint.php b/src/Http/Endpoint.php
index c9bbd4b2a4b..ec8d3b7971d 100644
--- a/src/Http/Endpoint.php
+++ b/src/Http/Endpoint.php
@@ -65,4 +65,18 @@ public function hasAccess(\User $user): bool
     {
         return !($user instanceof \LORIS\AnonymousUser);
     }
+
+    /**
+     * This function can be overridden in a module's page to load the necessary
+     * resources to check the permissions of a user.
+     *
+     * @param User                   $user    The user to load the resources for
+     * @param ServerRequestInterface $request The PSR15 Request being handled
+     *
+     * @return void
+     */
+    public function loadResources(
+        \User $user, ServerRequestInterface $request
+    ) : void {
+    }
 }
diff --git a/webpack.config.js b/webpack.config.js
index f498f42b63d..2d02310c924 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -322,6 +322,7 @@ const lorisModules = {
   instruments: ['CandidateInstrumentList', 'ControlpanelDeleteInstrumentData'],
   candidate_profile: ['CandidateInfo'],
   api_docs: ['swagger-ui_custom'],
+  dashboard: ['welcome'],
 };
 for (const [key] of Object.entries(lorisModules)) {
   const target = process.env.target;