1 files changed, 33 insertions, 4 deletions

diff --git a/src/get_routes.rs b/src/get_routes.rs
index e07050d..57d7e56 100644
--- a/src/get_routes.rs
+++ b/src/get_routes.rs
@@ -25,6 +25,7 @@ use crate::Context;
 use crate::Error;
 use crate::HyperResponse;
 use crate::Page;
+use crate::RenderMode;
 use crate::Response;
 
 pub(crate) fn get_blob<C: Controller>(
@@ -40,7 +41,8 @@ pub(crate) fn get_blob<C: Controller>(
         "upload" => Ok(forms::upload_form(true, controller, &ctx, parts).into()),
         "log" => log_blob(entr, params, controller, ctx, parts),
         "diff" => diff_blob(entr, params, controller, ctx, parts),
-        "raw" => raw_blob(entr, params, controller, ctx, parts),
+        "raw" => raw_blob(entr, params, controller, ctx, parts).map(|r| r.into()),
+        "run" => run_blob(entr, params, controller, ctx, parts).map(|r| r.into()),
         "move" => move_blob(entr, params, controller, ctx, parts),
         "remove" => remove_blob(entr, params, controller, ctx, parts),
         _ => Err(Error::BadRequest("unknown action".into())),
@@ -81,7 +83,7 @@ fn view_blob<C: Controller>(
     match from_utf8(blob.content()) {
         Ok(text) => {
             if let Some(renderer) = get_renderer(&ctx.path) {
-                renderer(text, &mut page);
+                renderer(text, &mut page, RenderMode::View);
             } else {
                 page.body
                     .push_str(&format!("<pre>{}</pre>", html_escape(text)));
@@ -314,7 +316,7 @@ fn raw_blob<C: Controller>(
     _controller: &C,
     ctx: Context,
     parts: &Parts,
-) -> Result<Response, Error> {
+) -> Result<HyperResponse, Error> {
     if let Some(etag) = parts
         .headers
         .get(header::IF_NONE_MATCH)
@@ -348,7 +350,34 @@ fn raw_blob<C: Controller>(
                 .insert(header::CONTENT_TYPE, mime.to_string().parse().unwrap());
         }
     }
-    Ok(resp.into())
+    Ok(resp)
+}
+
+fn run_blob<C: Controller>(
+    entr: TreeEntry,
+    params: ActionParam,
+    controller: &C,
+    ctx: Context,
+    parts: &Parts,
+) -> Result<HyperResponse, Error> {
+    if ctx.path.extension().unwrap().to_str() != Some("html") {
+        return Err(Error::BadRequest(
+            "run action only available for .html files".into(),
+        ));
+    }
+    raw_blob(entr, params, controller, ctx, parts).map(|mut r| {
+        r.headers_mut()
+            .insert(header::CONTENT_TYPE, "text/html".parse().unwrap());
+        // We want users to be able to view .html applications of other users
+        // without having to worry about the application accessing their private
+        // files. So we set the CSP: sandbox header which makes browsers treat
+        // the page as a unique origin as per the same-origin policy.
+        r.headers_mut().insert(
+            header::CONTENT_SECURITY_POLICY,
+            "sandbox allow-scripts;".parse().unwrap(),
+        );
+        r
+    })
 }
 
 fn move_blob<C: Controller>(