Refactor template string with handlebars.

- Fixed issue where JSON entities may be unescaped
- Updated web manifest schema, route handler.

Author: GirlBossRush

package.json

@@ -32,7 +32,9 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.0",
     "@types/cookie-parser": "^1.4.2",
+    "@types/entities": "^1.1.1",
     "@types/express": "^4.17.8",
+    "@types/express-handlebars": "^3.1.0",
     "@types/fs-extra": "^8.0.1",
     "@types/http-proxy": "^1.17.4",
     "@types/js-yaml": "^3.12.3",
@@ -71,8 +73,10 @@
     "@coder/logger": "1.1.16",
     "body-parser": "^1.19.0",
     "cookie-parser": "^1.4.5",
+    "entities": "^2.1.0",
     "env-paths": "^2.2.0",
     "express": "^4.17.1",
+    "express-handlebars": "^5.2.0",
     "fs-extra": "^9.0.1",
     "http-proxy": "^1.18.0",
     "httpolyglot": "^0.1.2",

src/browser/media/manifest.json

@@ -10,20 +10,20 @@
       http-equiv="Content-Security-Policy"
       content="style-src 'self'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
     />
-    <title>{{ERROR_TITLE}} - code-server</title>
+    <title>{{ERROR_TITLE}} — Code Server</title>
     <link rel="icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link rel="manifest" href="{{CS_STATIC_BASE}}/src/browser/media/manifest.json" crossorigin="use-credentials" />
+    <link rel="manifest" href="/code-server.webmanifest" crossorigin="use-credentials" />
     <link rel="apple-touch-icon" href="{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-384.png" />
     <link href="{{CS_STATIC_BASE}}/dist/register.css" rel="stylesheet" />
-    <meta id="coder-options" data-settings="{{OPTIONS}}" />
+    <meta id="coder-options" data-settings="{{{json coderOptions}}}" />
   </head>
   <body>
     <div class="center-container">
       <div class="error-display">
         <h2 class="header">{{ERROR_HEADER}}</h2>
         <div class="body">{{ERROR_BODY}}</div>
         <div class="links">
-          <a class="link" href="{{BASE}}{{TO}}">go home</a>
+          <a class="link" href="{{BASE}}{{TO}}">Go home</a>
         </div>
       </div>
     </div>

src/browser/pages/error.html renamed to src/browser/pages/error.handlebars

@@ -10,19 +10,20 @@
       http-equiv="Content-Security-Policy"
       content="style-src 'self'; script-src 'self' 'unsafe-inline'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
     />
-    <title>code-server login</title>
+    <title>Login — Code Server</title>
     <link rel="icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link rel="manifest" href="{{CS_STATIC_BASE}}/src/browser/media/manifest.json" crossorigin="use-credentials" />
+    <link rel="manifest" href="/code-server.webmanifest" crossorigin="use-credentials" />
     <link rel="apple-touch-icon" href="{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-384.png" />
     <link href="{{CS_STATIC_BASE}}/dist/register.css" rel="stylesheet" />
-    <meta id="coder-options" data-settings="{{OPTIONS}}" />
+    <meta id="coder-options" data-settings="{{{json coderOptions}}}" />
   </head>
   <body>
     <div class="center-container">
       <div class="card-box">
         <div class="header">
           <h1 class="main">Welcome to code-server</h1>
-          <div class="sub">Please log in below. {{PASSWORD_MSG}}</div>
+          <div class="sub">Please log in below.</div>
+          <div class="sub">{{PASSWORD_MSG}}</div>
         </div>
         <div class="content">
           <form class="login-form" method="post">
@@ -40,7 +41,10 @@ <h1 class="main">Welcome to code-server</h1>
               />
               <input class="submit -button" value="SUBMIT" type="submit" />
             </div>
-            {{ERROR}}
+
+            {{#if ERROR}}
+              <div class="error">{{ERROR}}</div>
+            {{/if}}
           </form>
         </div>
       </div>

src/browser/pages/login.html renamed to src/browser/pages/login.handlebars

@@ -3,11 +3,12 @@
 <html>
   <head>
     <script>
-      globalThis.MonacoPerformanceMarks = globalThis.MonacoPerformanceMarks || []
-      globalThis.MonacoPerformanceMarks.push("renderer/started", Date.now())
+      globalThis.MonacoPerformanceMarks = globalThis.MonacoPerformanceMarks || [];
+      globalThis.MonacoPerformanceMarks.push("renderer/started", Date.now());
     </script>
 
     <meta charset="utf-8" />
+    <title>Code Server</title>
 
     <!-- Disable pinch zooming -->
     <meta
@@ -16,28 +17,30 @@
     />
 
     <!-- Workbench Configuration -->
-    <meta id="vscode-workbench-web-configuration" data-settings="{{WORKBENCH_WEB_CONFIGURATION}}" />
+    <meta id="vscode-workbench-web-configuration" data-settings="{{{json workbenchOptions.workbenchWebConfiguration}}}" />
 
     <!-- Workarounds/Hacks (remote user data uri) -->
-    <meta id="vscode-remote-user-data-uri" data-settings="{{REMOTE_USER_DATA_URI}}" />
-    <meta id="vscode-remote-product-configuration" data-settings="{{PRODUCT_CONFIGURATION}}" />
-    <meta id="vscode-remote-nls-configuration" data-settings="{{NLS_CONFIGURATION}}" />
+    <meta id="vscode-remote-user-data-uri" data-settings="{{{json workbenchOptions.remoteUserDataUri}}}" />
+    <meta id="vscode-remote-product-configuration" data-settings="{{{json workbenchOptions.productConfiguration}}}" />
+    <meta id="vscode-remote-nls-configuration" data-settings="{{{json workbenchOptions.nlsConfiguration}}}" />
 
     <!-- Workbench Icon/Manifest/CSS -->
     <link rel="icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link rel="manifest" href="{{CS_STATIC_BASE}}/src/browser/media/manifest.json" crossorigin="use-credentials" />
-    <!-- PROD_ONLY
-    <link data-name="vs/workbench/workbench.web.api" rel="stylesheet" href="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.css">
-    END_PROD_ONLY -->
+    <link rel="manifest" href="/code-server.webmanifest" crossorigin="use-credentials" />
+
+    {{#if (prod)}}
+      <link data-name="vs/workbench/workbench.web.api" rel="stylesheet" href="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.css">
+    {{/if}}
+
     <link rel="apple-touch-icon" href="{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-384.png" />
     <meta name="apple-mobile-web-app-capable" content="yes" />
 
     <!-- Prefetch to avoid waterfall -->
-    <!-- PROD_ONLY
-    <link rel="prefetch" href="{{CS_STATIC_BASE}}/lib/vscode/node_modules/semver-umd/lib/semver-umd.js">
-    END_PROD_ONLY -->
+    {{#if (prod)}}
+      <link rel="prefetch" href="{{CS_STATIC_BASE}}/lib/vscode/node_modules/semver-umd/lib/semver-umd.js">
+    {{/if}}
 
-    <meta id="coder-options" data-settings="{{OPTIONS}}" />
+    <meta id="coder-options" data-settings="{{{json coderOptions}}}" />
   </head>
 
   <body aria-label=""></body>
@@ -46,14 +49,17 @@
   <script data-cfasync="false" src="{{CS_STATIC_BASE}}/dist/pages/vscode.js"></script>
   <script data-cfasync="false" src="{{CS_STATIC_BASE}}/dist/register.js"></script>
   <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/loader.js"></script>
+
   <script>
-    globalThis.MonacoPerformanceMarks.push("willLoadWorkbenchMain", Date.now())
+    globalThis.MonacoPerformanceMarks.push("willLoadWorkbenchMain", Date.now());
   </script>
-  <!-- PROD_ONLY
-  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.nls.js"></script>
-  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.js"></script>
-  END_PROD_ONLY -->
+
+  {{#if (prod)}}
+    <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.nls.js"></script>
+    <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.js"></script>
+  {{/if}}
+
   <script>
-    require(["vs/code/browser/workbench/workbench"], function () {})
+    require(["vs/code/browser/workbench/workbench"], function () {});
   </script>
 </html>

src/browser/pages/vscode.html renamed to src/browser/pages/vscode.handlebars

@@ -1,16 +1,40 @@
 import { logger } from "@coder/logger"
+import { encodeXML } from "entities"
 import express, { Express } from "express"
+import exphbs from "express-handlebars"
 import { promises as fs } from "fs"
 import http from "http"
 import * as httpolyglot from "httpolyglot"
+import { resolve } from "path"
 import { DefaultedArgs } from "./cli"
+import { rootPath } from "./constants"
 import { handleUpgrade } from "./http"
 
 /**
  * Create an Express app and an HTTP/S server to serve it.
  */
 export const createApp = async (args: DefaultedArgs): Promise<[Express, http.Server]> => {
+  const prod = process.env.NODE_ENV === "production"
   const app = express()
+  app.set("json spaces", prod ? 0 : 2)
+
+  app.engine(
+    "handlebars",
+    exphbs({
+      helpers: {
+        prod: () => prod,
+        /**
+         * Converts to JSON string and encodes entities for use in HTML.
+         * @TODO we can likely move JSON attributes to <script type="text/json">
+         *  and reduce the escaped output.
+         */
+        json: (content: any): string => encodeXML(JSON.stringify(content)),
+      },
+    }),
+  )
+
+  app.set("views", resolve(rootPath, "src/browser/pages"))
+  app.set("view engine", "handlebars")
 
   const server = args.cert
     ? httpolyglot.createServer(

src/node/app.ts

@@ -16,26 +16,33 @@ export interface Locals {
   heart: Heart
 }
 
-/**
- * Replace common variable strings in HTML templates.
- */
-export const replaceTemplates = <T extends object>(
+export interface CommonTemplateVars {
+  layout: boolean
+  TO: string
+  BASE: string
+  CS_STATIC_BASE: string
+  coderOptions: Options
+}
+
+export const commonTemplateVars = <T extends Options>(
   req: express.Request,
-  content: string,
   extraOpts?: Omit<T, "base" | "csStaticBase" | "logLevel">,
-): string => {
+): CommonTemplateVars => {
   const base = relativeRoot(req)
-  const options: Options = {
+  const coderOptions: Options = {
     base,
     csStaticBase: base + "/static/" + commit + rootPath,
     logLevel: logger.level,
     ...extraOpts,
   }
-  return content
-    .replace(/{{TO}}/g, (typeof req.query.to === "string" && req.query.to) || "/")
-    .replace(/{{BASE}}/g, options.base)
-    .replace(/{{CS_STATIC_BASE}}/g, options.csStaticBase)
-    .replace(/"{{OPTIONS}}"/, `'${JSON.stringify(options)}'`)
+
+  return {
+    TO: (typeof req.query.to === "string" && req.query.to) || "/",
+    BASE: coderOptions.base,
+    CS_STATIC_BASE: coderOptions.csStaticBase,
+    coderOptions,
+    layout: false,
+  }
 }
 
 /**

src/node/http.ts

@@ -11,12 +11,13 @@ import { plural } from "../../common/util"
 import { AuthType, DefaultedArgs } from "../cli"
 import { rootPath } from "../constants"
 import { Heart } from "../heart"
-import { replaceTemplates } from "../http"
+import { commonTemplateVars } from "../http"
 import { loadPlugins } from "../plugin"
 import * as domainProxy from "../proxy"
 import { getMediaMime, paths } from "../util"
 import * as health from "./health"
 import * as login from "./login"
+import * as manifest from "./manifest"
 import * as proxy from "./proxy"
 // static is a reserved keyword.
 import * as _static from "./static"
@@ -85,6 +86,7 @@ export const register = async (app: Express, server: http.Server, args: Defaulte
 
   app.use("/", domainProxy.router)
   app.use("/", vscode.router)
+  app.use("/", manifest.router)
   app.use("/healthz", health.router)
   if (args.auth === AuthType.Password) {
     app.use("/login", login.router)
@@ -101,20 +103,19 @@ export const register = async (app: Express, server: http.Server, args: Defaulte
   })
 
   const errorHandler: ErrorRequestHandler = async (err, req, res, next) => {
-    const resourcePath = path.resolve(rootPath, "src/browser/pages/error.html")
-    res.set("Content-Type", getMediaMime(resourcePath))
+    if (err.code === "ENOENT" || err.code === "EISDIR") {
+      err.status = HttpCode.NotFound
+    }
+
+    const status = err.status ?? err.statusCode ?? 500
+
     try {
-      const content = await fs.readFile(resourcePath, "utf8")
-      if (err.code === "ENOENT" || err.code === "EISDIR") {
-        err.status = HttpCode.NotFound
-      }
-      const status = err.status ?? err.statusCode ?? 500
-      res.status(status).send(
-        replaceTemplates(req, content)
-          .replace(/{{ERROR_TITLE}}/g, status)
-          .replace(/{{ERROR_HEADER}}/g, status)
-          .replace(/{{ERROR_BODY}}/g, err.message),
-      )
+      res.status(status).render("error", {
+        ...commonTemplateVars(req),
+        ERROR_TITLE: status,
+        ERROR_HEADER: status,
+        ERROR_BODY: err.message,
+      })
     } catch (error) {
       next(error)
     }