resolves #3765 download and embed custom remote stylesheet if allow-uri-read is set (PR #3766)

author: Dan Allen <dan.j.allen@gmail.com> 2020-10-23 23:57:46 -0600
committer: GitHub <noreply@github.com> 2020-10-23 23:57:46 -0600
commit: 3bf8cb35e05182c2aa431b336516898dd4f4353a (patch)
tree: 3082b8e73810b38270d786e7df71d2f3d2ba2786
parent: ae24065dc0c7b025abb12e5ba02fd5c828db54b7 (diff)
4 files changed, 56 insertions, 1 deletions
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
index 63298de9..c71646f8 100644
--- a/CHANGELOG.adoc
+++ b/CHANGELOG.adoc
@@ -63,6 +63,7 @@ Improvements::
   * Skip unused default attribute assigments for embedded document
   * Allow a URL macro to have a preceding single or double quote (#3376)
   * Add support for erubi template engine; use it in place of erubis in test suite; note the use of erubis is deprecated (#3737)
+  * Download and embed remote custom stylesheet if allow-uri-read is set (#3765)
 
 Build / Infrastructure::
 
diff --git a/lib/asciidoctor/converter/html5.rb b/lib/asciidoctor/converter/html5.rb
index e1b4e839..b5b6188f 100644
--- a/lib/asciidoctor/converter/html5.rb
+++ b/lib/asciidoctor/converter/html5.rb
@@ -138,7 +138,7 @@ class Converter::Html5Converter < Converter::Base
         result << %(<link rel="stylesheet" href="#{node.normalize_web_path((node.attr 'stylesheet'), (node.attr 'stylesdir', ''))}"#{slash}>)
       else
         result << %(<style>
-#{node.read_asset node.normalize_system_path((node.attr 'stylesheet'), (node.attr 'stylesdir', '')), warn_on_failure: true, label: 'stylesheet'}
+#{node.read_contents (node.attr 'stylesheet'), start: (node.attr 'stylesdir'), warn_on_failure: true, label: 'stylesheet'}
 </style>)
       end
     end
diff --git a/test/api_test.rb b/test/api_test.rb
index 277fb0fc..24e84b1e 100644
--- a/test/api_test.rb
+++ b/test/api_test.rb
@@ -1153,6 +1153,23 @@ context 'API' do
       refute_empty styles.strip
     end
 
+    test 'should embed remote stylesheet by default if SafeMode is less than SECURE and allow-uri-read is set' do
+      input = <<~'EOS'
+      = Document Title
+
+      text
+      EOS
+
+      output = using_test_webserver do
+        Asciidoctor.convert input, safe: Asciidoctor::SafeMode::SERVER, standalone: true, attributes: { 'allow-uri-read' => '', 'stylesheet' => %(http://#{resolve_localhost}:9876/fixtures/custom.css) }
+      end
+      stylenode = xmlnodes_at_css 'html:root > head > style', output, 1
+      styles = stylenode.content
+      refute_nil styles
+      refute_empty styles.strip
+      assert_include 'color: green', styles
+    end
+
     test 'should not allow linkcss be unset from document if SafeMode is SECURE or greater' do
       input = <<~'EOS'
       = Document Title
@@ -1244,6 +1261,40 @@ context 'API' do
       refute_empty styles.strip
     end
 
+    test 'should embed custom remote stylesheet if SafeMode is less than SECURE and allow-uri-read is set' do
+      input = <<~'EOS'
+      = Document Title
+
+      text
+      EOS
+
+      output = using_test_webserver do
+        Asciidoctor.convert input, safe: Asciidoctor::SafeMode::SERVER, standalone: true, attributes: { 'allow-uri-read' => '', 'stylesheet' => %(http://#{resolve_localhost}:9876/fixtures/custom.css) }
+      end
+      stylenode = xmlnodes_at_css 'html:root > head > style', output, 1
+      styles = stylenode.content
+      refute_nil styles
+      refute_empty styles.strip
+      assert_include 'color: green', styles
+    end
+
+    test 'should embed custom stylesheet in remote stylesdir if SafeMode is less than SECURE and allow-uri-read is set' do
+      input = <<~'EOS'
+      = Document Title
+
+      text
+      EOS
+
+      output = using_test_webserver do
+        Asciidoctor.convert input, safe: Asciidoctor::SafeMode::SERVER, standalone: true, attributes: { 'allow-uri-read' => '', 'stylesdir' => %(http://#{resolve_localhost}:9876/fixtures), 'stylesheet' => 'custom.css' }
+      end
+      stylenode = xmlnodes_at_css 'html:root > head > style', output, 1
+      styles = stylenode.content
+      refute_nil styles
+      refute_empty styles.strip
+      assert_include 'color: green', styles
+    end
+
     test 'should convert source file and write result to adjacent file by default' do
       sample_input_path = fixture_path('sample.adoc')
       sample_output_path = fixture_path('sample.html')
diff --git a/test/fixtures/custom.css b/test/fixtures/custom.css
new file mode 100644
index 00000000..92ae40db
--- /dev/null
+++ b/test/fixtures/custom.css
@@ -0,0 +1,3 @@
+mark {
+  color: green;
+}
author	Dan Allen <dan.j.allen@gmail.com>	2020-10-23 23:57:46 -0600
committer	GitHub <noreply@github.com>	2020-10-23 23:57:46 -0600
commit	3bf8cb35e05182c2aa431b336516898dd4f4353a (patch)
tree	3082b8e73810b38270d786e7df71d2f3d2ba2786
parent	ae24065dc0c7b025abb12e5ba02fd5c828db54b7 (diff)