[ckeditor][markdown] introduce twig filter chill_markdown_to_html

src/Bundle/ChillMainBundle/Resources/public/sass/_custom.scss

@@ -157,16 +157,27 @@ dl.chill_view_data {
 }
 
 
-blockquote.chill-user-quote {
+blockquote.chill-user-quote,
+div.chill-user-quote {
     border-left: 10px solid $chill-yellow;
     margin: 1.5em 10px;
     padding: 0.5em 10px;
     quotes: "\201C""\201D""\2018""\2019";
     background-color: $chill-llight-gray;
-
+    
-
+    blockquote {
-    p { display: inline; }
+        margin: 1.5em 10px;
-
+        padding: 0.5em 10px;
+    }
+    
+    blockquote:before {
+        color: #ccc;
+        content: open-quote;
+        font-size: 4em;
+        line-height: 0.1em;
+        margin-right: 0.25em;
+        vertical-align: -0.4em;
+    }
 }
 
 .chill-no-data-statement {

src/Bundle/ChillMainBundle/Templating/ChillMarkdownRenderExtension.php

@@ -0,0 +1,56 @@
+<?php
+/*
+ * Copyright (C) 2021 Champs Libres Cooperative <info@champs-libres.coop>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+namespace Chill\MainBundle\Templating;
+
+use Twig\Extension\AbstractExtension;
+use Twig\TwigFilter;
+
+use Parsedown;
+
+/**
+ * Render markdown
+ * 
+ */
+class ChillMarkdownRenderExtension extends AbstractExtension
+{
+    /**
+     * 
+     * @var Parsedown
+     */
+    protected $parsedown;
+    
+    public function __construct()
+    {
+        $this->parsedown = new Parsedown();
+        $this->parsedown->setSafeMode(true);
+    }
+    
+    public function getFilters()
+    {
+        return [
+            new TwigFilter('chill_markdown_to_html', [$this, 'renderMarkdownToHtml'], [
+                'is_safe' => [ 'html' ]
+            ])
+        ];
+    }
+    
+    public function renderMarkdownToHtml($var)
+    {
+        return $this->parsedown->parse($var);
+    }
+}

src/Bundle/ChillMainBundle/Tests/Templating/ChillMarkdownRenderExtensionTest.php

@@ -0,0 +1,76 @@
+<?php
+/*
+ * Chill is a software for social workers
+ *
+ * Copyright (C) 2014-2021, Champs Libres Cooperative SCRLFS, 
+ * <http://www.champs-libres.coop>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+namespace Chill\MainBundle\Tests\Templating;
+
+use PHPUnit\Framework\TestCase;
+use Chill\MainBundle\Templating\ChillMarkdownRenderExtension;
+
+/**
+ * Test the service ChillMarkdownRenderExtension
+ * 
+ * @internal we do not want to test the markdown transformation. We just want to
+ * test that the markdown is correctly transformed into html, and that the html 
+ * is safe.
+ */
+class ChillMarkdownRenderExtensionTest extends TestCase
+{
+    
+    private const SIMPLE_MARKDOWN = <<<MD
+# test
+
+Text.
+MD;
+    
+    private const SIMPLE_HTML = <<<HTML
+<h1>test</h1>
+<p>Text.</p>
+HTML;
+    
+    private const UNAUTHORIZED_MARKDOWN = <<<MD
+<script>alert("ok");</script>
+MD;
+    
+    private const UNAUTHORIZED_HTML = <<<HTML
+<p>&lt;script&gt;alert(&quot;ok&quot;);&lt;/script&gt;</p>
+HTML;
+    
+    /**
+     * Test that the markdown input is transformed into html
+     */
+    public function testRendering()
+    {
+        $extension = new ChillMarkdownRenderExtension();
+        
+        $this->assertEquals(self::SIMPLE_HTML, 
+            $extension->renderMarkdownToHtml(self::SIMPLE_MARKDOWN));
+    }
+    
+    /**
+     * Test that the output of the markdown content is sanitized
+     */
+    public function testSecurity()
+    {
+        $extension = new ChillMarkdownRenderExtension();
+        
+        $this->assertEquals(self::UNAUTHORIZED_HTML, 
+            $extension->renderMarkdownToHtml(self::UNAUTHORIZED_MARKDOWN));
+    }
+}

src/Bundle/ChillMainBundle/config/services/templating.yaml

@@ -36,3 +36,7 @@ services:
             - '@chill.main.user_repository'
         tags:
             - { name: 'chill.render_entity' }
+            
+    Chill\MainBundle\Templating\ChillMarkdownRenderExtension:
+        tags:
+            - { name: twig.extension }

src/Bundle/ChillPersonBundle/Resources/views/Person/view.html.twig

@@ -48,11 +48,9 @@ This view should receive those arguments:
         </figure>
 
             {#<p><blockquote>{{ person.memo|nl2br }}</blockquote></p>#}
-            <div class="chill-user-quote snippet-markdown">
+            <div class="chill-user-quote">
+                {{ person.memo|chill_markdown_to_html }}
             </div>
-        {% apply markdown_to_html %}
-            {{ person.memo }}
-        {% endapply %}<br>
 
     </div>
     {% endif %}
@@ -214,7 +212,7 @@ This view should receive those arguments:
             {%- if chill_person.fields.email == 'visible' -%}
             <dl>
                 <dt>{{ 'Email'|trans }}&nbsp;:</dt>
-                <dd>{% if person.email is not empty %}<blockquote class="chill-user-quote">{{ person.email|nl2br }}</blockquote>{% else %}<span class="chill-no-data-statement">{{ 'No data given'|trans }}</span>{% endif %}</dd>
+                <dd>{% if person.email is not empty %}<a href="mailto:{{ person.email|escape('html_attr') }}">{{ person.email }}</a>{% else %}<span class="chill-no-data-statement">{{ 'No data given'|trans }}</span>{% endif %}</dd>
             </dl>
             {%- endif -%}
             {%- if chill_person.fields.phonenumber == 'visible' -%}
@@ -232,7 +230,15 @@ This view should receive those arguments:
             {%- if chill_person.fields.contact_info == 'visible' -%}
             <dl>
                 <dt>{{ 'Notes on contact information'|trans }}&nbsp;:</dt>
-                <dd>{% if person.contactInfo is not empty %}{{ person.contactInfo|nl2br }}{% else %}<span class="chill-no-data-statement">{{ 'No data given'|trans }}</span>{% endif %}</dd>
+                <dd>
+                    {% if person.contactInfo is not empty %}
+                    <div class="chill-user-quote">
+                        {{ person.contactInfo|chill_markdown_to_html }}
+                    </div>
+                    {% else %}
+                        <span class="chill-no-data-statement">{{ 'No data given'|trans }}</span>
+                    {% endif %}
+                </dd>
             </dl>
             {%- endif -%}