escape all output by default, add <?unsafe blocks

guregu · guregu · commit 2215c85ab09d · 2023-01-09T08:03:29.000+09:00
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ SPINCFG = spin.toml
 endif
 
 ifndef SPINVER
-SPINVER = v0.4.0
+SPINVER = v0.7.1
 endif
 
 ifndef ARCH
@@ -34,13 +34,10 @@ run: build
 	$(SPINFLAGS) spin up --file $(SPINCFG)
 
 watch: build
-	nodemon --watch cgi-bin --watch www --watch lib --ext pl,html,php --verbose --legacy-watch --signal SIGINT --exec '$(SPINFLAGS) spin up --file $(SPINCFG)'
+	nodemon --watch cgi-bin --watch . --ext pl,html --verbose --legacy-watch --signal SIGINT --exec '$(SPINFLAGS) spin up --file $(SPINCFG)'
 
 container: build
 	nixpacks build . --name php --pkgs wget curl \
-		--install-cmd 'wget -O spin.tar.gz https://github.com/fermyon/spin/releases/download/v0.4.0/spin-v0.4.0-linux-amd64.tar.gz && tar xvf spin.tar.gz && (curl https://get.wasmer.io -sSfL | sh)' \
+		--install-cmd 'wget -O spin.tar.gz $(SPINBIN) && tar xvf spin.tar.gz && (curl https://get.wasmer.io -sSfL | sh)' \
 		--build-cmd './spin build' \
 		--start-cmd './spin up --file spin.toml'
-
-deploy:
-	ssh ubuntu@php.energy 'cd php && git pull && sudo systemctl restart php'
diff --git a/README.md b/README.md
@@ -66,34 +66,41 @@ Put PHP templates here and they will show up in your root.
 
 Files ending in `.html` will be interpreted as PHP templates with the following special syntax.
 
-### Queries: `<?- Goal ?>`
+### Queries: `<?- Goal. ?>`
 ```prolog
 <?- current_prolog_flag(version, Ver), write(Ver) ?>
 <?php ... ?>
 ```
 
-You can use the `<?php goal ?>` expression to execute Prolog (of course). 
+You can use the `<?- Goal. ?>` (alias: `<?php Goal. ?>`) expression to execute Prolog (of course). 
 
-For example, this renders a table of the current Prolog flags:
+By default, all output from these blocks will be escaped to avoid XSS attacks. You can also use unsafe queries, see below.
+
+#### Unsafe queries: `<?unsafe Goal. ?>`
+
+You can use the `<?unsafe Goal. ?>` expression to execute Prolog code without escaping its output (dangerous!).
+Avoid using this if you can.
+
+For example, this renders a table of the numbers 1-10 and their squares:
 
 ```html
-<h3>Prolog flags</h3>
+<h3>Math</h3>
 <table>
-	<tr><th>Flag</th><th>Value</th></tr>
-	<?php
-		bagof([K, V], current_prolog_flag(K, V), Flags),
+	<tr><th>N</th><th>N²</th></tr>
+	<?unsafe
+		bagof([N, Square], (between(1, 10, N), Square is N^2)), Flags),
 		maplist(format("<tr><td>~w</td><td>~w</td></tr>"), Flags)
 	?>
 </table>
 ```
 
-#### findall: `<?* Goal ?>`
+#### findall: `<?* Goal. ?>`
 ```prolog
 <?* member(X, [1, 2, 3]) ?>
 ```
 Works the same as query, but findall behavior instead of once behavior.
 
-#### Echo: `<?=Var Goal ?>`
+#### Echo: `<?=Var Goal. ?>`
 ```html
 1+1 = <?=X X is 1+1 ?>
 <input type="text" name="ask" value="<?=Param query_param(ask, Param) ?>">
@@ -112,7 +119,8 @@ good_enough(X) :- between(1, 640, X).
 :- echo "hello!".
 :- succ(68, X), write(X).
 ?>
-<?prolog ... ?>
+
+The web framework of the future is <?=Framework best_web_framework(Framework). ?>
 ```
 
 Assert facts and rules as if consulting a Prolog program. Directive syntax will call the given goal.
diff --git a/spin.toml b/spin.toml
@@ -2,12 +2,12 @@ spin_version = "1"
 name = "prolog-php"
 description = "Prolog Home Page"
 trigger = { type = "http", base = "/" }
-version = "0.2.1"
+version = "0.3.0"
 
 [[component]]
 id = "prolog"
 description = "PHP: Prolog Home Page"
-source = "wapm_packages/guregu/trealla@0.11.26/tpl.wasm"
+source = "wapm_packages/guregu/trealla@0.11.27/tpl.wasm"
 files = [{ source = "www/", destination = "/"}]
 [component.trigger]
 route = "/..."
diff --git a/wapm.lock b/wapm.lock
@@ -1,18 +1,18 @@
 # Lockfile v4
 # This file is automatically generated by Wapm.
 # It is not intended for manual editing. The schema of this file may change.
-[modules."guregu/trealla"."0.11.26".tpl]
+[modules."guregu/trealla"."0.11.27".tpl]
 name = "tpl"
-package_version = "0.11.26"
+package_version = "0.11.27"
 package_name = "guregu/trealla"
-package_path = "guregu/trealla@0.11.26"
-resolved = "https://registry-cdn.wapm.io/packages/guregu/trealla/trealla-0.11.26-b8da2854-802b-11ed-90e2-c6aeb50490de.tar.gz"
+package_path = "guregu/trealla@0.11.27"
+resolved = "https://registry-cdn.wapm.io/packages/guregu/trealla/trealla-0.11.27-9ebbecea-8685-11ed-90e2-c6aeb50490de.tar.gz"
 resolved_source = "registry+tpl"
 abi = "wasi"
 source = "tpl.wasm"
 [commands.tpl]
 name = "tpl"
 package_name = "guregu/trealla"
-package_version = "0.11.26"
+package_version = "0.11.27"
 module = "tpl"
 is_top_level_dependency = true
diff --git a/www/lib/php.pl b/www/lib/php.pl
@@ -1,4 +1,4 @@
-:- module(php, [php//1, render/1, phpinfo/0, pretty_version/1, echo/1, htmlspecialchars//1, html_escape/2]).
+:- module(php, [php//1, render/1, phpinfo/0, pretty_version/1, echo/1, htmlspecialchars//1, html_escape/2, op(901, fy, echo)]).
 :- use_module(cgi).
 :- use_module(dcgs).
 
@@ -23,49 +23,66 @@
 clauses([]) --> term(end_of_file).
 term(T) --> read_term_from_chars_(T).
 
+exec(Block) :-
+	\+unsafe_block(Block),
+	'$capture_output',
+	ignore(exec_(Block)),
+	'$capture_output_to_chars'(Cs),
+	ignore(echo(Cs)), % escapes output
+	!.
+exec(Block) :-
+	unsafe_block(Block),
+	ignore(exec_(Block)).
+
 % <?- ... ?> (query)
 % <?php ... ?>
-exec(php("-", Code)) :-
-	exec(php("php", Code)),
+exec_(php("-", Code)) :-
+	exec_(php("php", Code)),
 	!.
-exec(php("php", Code)) :-
+exec_(php("php", Code)) :-
 	read_term_from_chars(Code, Goal, []),
 	ignore(Goal),
 	!.
+exec_(php("unsafe", Code)) :-
+	exec_(php("php", Code)),
+	!.
 % <?* ... ?> (findall)
-exec(php("*", Code)) :-
+exec_(php("*", Code)) :-
 	read_term_from_chars(Code, Goal, []),
 	ignore(findall(_, call(Goal), _)),
 	!.
 % <?prolog ... ?> (clauses)
 % <? ... ?>
-exec(php("prolog", Code)) :-
+exec_(php("prolog", Code)) :-
 	( once(phrase(clauses(Cs), Code))
 	; throw(error(invalid_template(prolog, Code)))
 	),
 	ignore(maplist(prolog_call, Cs)),
 	!.
-exec(php([], Code)) :-
-	exec(php("prolog", Code)),
+exec_(php([], Code)) :-
+	exec_(php("prolog", Code)),
 	!.
 % <?=Var ... ?> (echo)
-exec(php([=|Var], Code)) :-
+exec_(php([=|Var], Code)) :-
 	read_term_from_chars(Code, Goal, [variable_names(Vars)]),
 	atom_chars(Key, Var),
 	(  member(Key=X, Vars)
 	-> true
 	;  throw(error(var_not_found(var(Key), goal(Goal))))
 	),
 	(  call(Goal)
-	-> echo(X)
+	-> echo_unsafe(X)
 	;  true
 	),
 	!.
-exec(text(Text)) :-
+exec_(text(Text)) :-
 	'$put_chars'(Text),
 	!.
-exec(X) :-
-	throw(error(unknown_opcode(X))).
+exec_(X) :-
+	throw(error(unknown_block(X))).
+
+unsafe_block(text(_)).
+unsafe_block(php("unsafe", _)).
 
 render(File) :-
 	read_file_to_string(File, Cs, []),
@@ -77,7 +94,7 @@
 		echo "Error: ", echo Error
 	)).
 
-prolog_call(:-(Goal)) :- ignore(Goal).
+prolog_call(':-'(Goal)) :- ignore(Goal).
 prolog_call(Goal) :- user:assertz(Goal).
 
 phpinfo :- render('lib/phpinfo.html').
@@ -88,26 +105,36 @@
 	atomic_list_concat([Head, Min, Patch], '.', Version).
 
 htmlspecialchars([]) --> [].
-htmlspecialchars([C|Cs]) --> { danger_subtitute(C, Sub) }, Sub, htmlspecialchars(Cs).
-htmlspecialchars([C|Cs]) --> { \+danger_subtitute(C, _) }, [C], htmlspecialchars(Cs).
+htmlspecialchars([C|Cs]) --> { danger_substitute(C, Sub) }, Sub, htmlspecialchars(Cs).
+htmlspecialchars([C|Cs]) --> { \+danger_substitute(C, _) }, [C], htmlspecialchars(Cs).
 
 html_escape(Raw, Sanitized) :- once(phrase(htmlspecialchars(Raw), Sanitized)).
 
-danger_subtitute(&, "&amp;").
-danger_subtitute('"', "&quot;").
-danger_subtitute('\'', "&apos;").
-danger_subtitute(<, "&lt;").
-danger_subtitute(>, "&gt;").
+danger_substitute(&, "&amp;").
+danger_substitute('"', "&quot;").
+danger_substitute('\'', "&apos;").
+danger_substitute(<, "&lt;").
+danger_substitute(>, "&gt;").
 
 echo([]) :- !.
 echo('') :- !.
 echo(String) :-
-	can_be(chars, String),
+	string(String),
 	html_escape(String, Sanitized),
 	'$put_chars'(Sanitized),
 	!.
 echo(X) :-
 	write_term_to_chars(X, [], Cs),
 	echo(Cs),
 	!.
-	
+	
+echo_unsafe([]) :- !.
+echo_unsafe('') :- !.
+echo_unsafe(String) :-
+	string(String),
+	'$put_chars'(String),
+	!.
+echo_unsafe(X) :-
+	write_term_to_chars(X, [], Cs),
+	echo_unsafe(Cs),
+	!.
diff --git a/www/lib/phpinfo.html b/www/lib/phpinfo.html
@@ -10,15 +10,15 @@ <h1>phpinfo/0<br>
 	<h3>Envrionment</h3>
 	<table>
 		<tr><th>Name</th><th>Value</th></tr>
-	<?php
+	<?unsafe
 		bagof([K, V], env(K, V), Env),
 		maplist(format("<tr><td>~w</td><td>~w</td></tr>"), Env)
 	?>
 	</table>
 	<h3>Prolog flags</h3>
 	<table>
 		<tr><th>Flag</th><th>Value</th></tr>
-	<?php
+	<?unsafe
 		current_prolog_flag(argv, Argv),
 		format("<tr><td>~w</td><td>~w</td></tr>", [argv, Argv]),
 		current_prolog_flag(version_git, GitVer),
@@ -30,7 +30,7 @@ <h3>Prolog flags</h3>
 	<h3>Query params</h3>
 	<table>
 		<tr><th>Key</th><th>Value</th></tr>
-	<?-
+	<?unsafe
 		bagof([K, V], K0^V0^K1^V1^K^V^(
 			query_param(K0, V0),
 			atom_chars(K0, K1),
diff --git a/www/public_html/index.html b/www/public_html/index.html
@@ -33,8 +33,15 @@ <h3>examples</h3>
 		</ul>
 	</nav>
 
-	<h3>Trealla Prolog playground</h3>
-	<p>Run <a href="trealla.html">Trealla straight from your browser</a>!</p>
+	<section>
+		<h3>Trealla Prolog playground</h3>
+		<p>✨&nbsp;Run <a href="trealla.html">Trealla straight from your browser</a>!</p>
+	</section>
+
+	<h3>USER TESTIMONIALS</h3>
+	<ul>
+		<li>"Dear god", "I'm so happy they left my beloved Python undefiled" — <a href="https://news.ycombinator.com/item?id=34287270">hacker news</a></li>
+	</ul>
 
 	<hr>
 
diff --git a/www/public_html/tacos.html b/www/public_html/tacos.html
@@ -9,6 +9,9 @@
 h1 {
 	font-style: italic;
 }
+figcaption {
+	text-align: right;
+}
 </style>
 </head>
 <body>
@@ -21,6 +24,8 @@ <h1>So I made this girl quit her job today.</h1>
 	<p>She looks at my face for a few seconds with a blank stare before saying, "Fuck this" and just walks to the back where the customer can't see, and then like 15 seconds later walks down the hallway and out the door and gets into her car. Then some guy comes out from the back, who I assume is the manager, with a concerned look on his face, apologizes and takes my order. Other employees were really confused.
 
 	<p>Tacos were okay.
+
+	<figcaption><cite>— some guy on an internet forum long ago</cite></figcaption>
 </blockquote>
 <?
 
@@ -49,7 +54,8 @@ <h1>So I made this girl quit her job today.</h1>
 ?>
 
 <ol>
-	<?* tacos(Tacos), member(taco(Shell, Meat, Toppings), Tacos), format("<li>~a ~a ~w</li>", [Shell, Meat, Toppings]). ?>
+	<!-- TODO: make this less horrible -->
+	<?unsafe findall(_, (tacos(Tacos), member(taco(Shell, Meat, Toppings), Tacos), format("<li>~a ~a ~w</li>", [Shell, Meat, Toppings])), _). ?>
 </ol>
 
 <section>
diff --git a/www/public_html/test.html b/www/public_html/test.html
@@ -1,4 +1,4 @@
 <!doctype html>
 <html>
-	<?php phpinfo ?>
+	<?unsafe phpinfo ?>
 </html>
diff --git a/www/public_html/trealla.html b/www/public_html/trealla.html
@@ -67,7 +67,7 @@ <h2>More Info</h2>
 </footer>
 
 <script type="module">
-import { load, Prolog, toJSON } from 'https://esm.sh/trealla@0.13.34';
+import { load, Prolog, toJSON } from 'https://esm.sh/trealla@0.13.40';
 
 try {
 	load().then(init);

-Original file line number
+Diff line change
 </footer>
 <script type="module">
 -import { load, Prolog, toJSON } from 'https://esm.sh/[email protected].34';
 +import { load, Prolog, toJSON } from 'https://esm.sh/[email protected].40';
 try {
 	load().then(init);