Better training note formatting

vzdv-site/Cargo.toml

@@ -40,5 +40,5 @@ tower-sessions = "0.12.0"
 tower-sessions-sqlx-store = { version = "0.13.0", features = ["sqlite"] }
 uuid = { version = "1.10.0", features = ["v4", "fast-rng"] }
 vatsim_utils = "0.5.0"
-voca_rs = "1.15.2"
 geo = "0.28.0"
+regex = "1.11.0"

vzdv-site/src/endpoints/controller.rs

@@ -3,8 +3,8 @@
 use crate::{
     flashed_messages::{self, MessageLevel},
     shared::{
-        is_user_member_of, js_timestamp_to_utc, post_audit, reject_if_not_in, AppError, AppState,
-        UserInfo, SESSION_USER_INFO_KEY,
+        is_user_member_of, js_timestamp_to_utc, post_audit, reject_if_not_in, strip_some_tags,
+        AppError, AppState, UserInfo, SESSION_USER_INFO_KEY,
     },
 };
 use axum::{
@@ -412,8 +412,6 @@ async fn snippet_get_training_records(
     session: Session,
     Path(cid): Path<u32>,
 ) -> Result<Response, AppError> {
-    use voca_rs::Voca;
-
     let user_info: Option<UserInfo> = session.get(SESSION_USER_INFO_KEY).await?;
     if let Some(redirect) =
         reject_if_not_in(&state, &user_info, PermissionsGroup::TrainingTeam).await
@@ -429,7 +427,7 @@ async fn snippet_get_training_records(
         .map(|record| {
             let record = record.clone();
             TrainingRecord {
-                notes: record.notes._strip_tags(),
+                notes: strip_some_tags(&record.notes).replace("\n", "<br>"),
                 ..record
             }
         })

vzdv-site/src/endpoints/events.rs

@@ -24,7 +24,6 @@ use serde::{Deserialize, Serialize};
 use sqlx::{Pool, Sqlite};
 use std::sync::Arc;
 use tower_sessions::Session;
-use voca_rs::Voca;
 use vzdv::{
     sql::{self, Controller, Event, EventPosition, EventRegistration},
     vatusa::get_controller_info,
@@ -494,7 +493,7 @@ async fn post_register_for_event(
         .bind(c_1)
         .bind(c_2)
         .bind(c_3)
-        .bind(register_data.notes._substring(0, 500))
+        .bind(&register_data.notes[0..500])
         .execute(&state.db)
         .await?;
     info!(

vzdv-site/src/endpoints/user.rs

@@ -2,7 +2,7 @@
 
 use crate::{
     discord, flashed_messages,
-    shared::{AppError, AppState, UserInfo, SESSION_USER_INFO_KEY},
+    shared::{strip_some_tags, AppError, AppState, UserInfo, SESSION_USER_INFO_KEY},
 };
 use axum::{
     extract::{Query, State},
@@ -25,8 +25,6 @@ async fn page_training_notes(
     State(state): State<Arc<AppState>>,
     session: Session,
 ) -> Result<Response, AppError> {
-    use voca_rs::Voca;
-
     let user_info: Option<UserInfo> = session.get(SESSION_USER_INFO_KEY).await?;
     let user_info = match user_info {
         Some(info) => info,
@@ -42,7 +40,7 @@ async fn page_training_notes(
         .map(|record| {
             let record = record.clone();
             TrainingRecord {
-                notes: record.notes._strip_tags(),
+                notes: strip_some_tags(&record.notes).replace("\n", "<br>"),
                 ..record
             }
         })

vzdv-site/src/shared.rs

@@ -9,9 +9,10 @@ use chrono::{NaiveDateTime, TimeZone};
 use log::{error, info};
 use mini_moka::sync::Cache;
 use minijinja::{context, Environment};
+use regex::Regex;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use std::sync::OnceLock;
+use std::sync::{LazyLock, OnceLock};
 use std::{sync::Arc, time::Instant};
 use tower_sessions_sqlx_store::sqlx::SqlitePool;
 use vzdv::GENERAL_HTTP_CLIENT;
@@ -269,3 +270,55 @@ pub fn post_audit(config: &Config, message: String) {
         }
     });
 }
+
+static TAG_REGEX_REPLACEMENTS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
+    vec![
+        Regex::new(r"(?i)<form").unwrap(),
+        Regex::new(r"(?i)<script").unwrap(),
+        Regex::new(r"(?i)<button").unwrap(),
+        Regex::new(r"(?i)<a").unwrap(),
+    ]
+});
+
+/// Strip some tags from the HTML string for (relatively) safe direct rendering in the DOM.
+///
+/// I'm not really worried about the resulting string _looking_ okay, I just don't want
+/// to render forms or scripts in people's browsers.
+pub fn strip_some_tags(s: &str) -> String {
+    let mut ret = s.to_string();
+    for re in TAG_REGEX_REPLACEMENTS.iter() {
+        ret = re.replace_all(&ret, "").to_string();
+    }
+    ret
+}
+
+#[cfg(test)]
+mod tests {
+    use super::strip_some_tags;
+
+    #[test]
+    fn test_strip_some_tags() {
+        assert_eq!(
+            strip_some_tags(r#"foo <script src="https://example.com"></script> bar"#),
+            r#"foo  src="https://example.com"></script> bar"#
+        );
+        assert_eq!(
+            strip_some_tags(r#"foo <SCRIPT src="https://example.com"></SCRIPT> bar"#),
+            r#"foo  src="https://example.com"></SCRIPT> bar"#
+        );
+        assert_eq!(
+            strip_some_tags(
+                r#"foo <fORm method="POST" action="https://example.com"></SCRIPT> bar"#
+            ),
+            r#"foo  method="POST" action="https://example.com"></SCRIPT> bar"#
+        );
+        assert_eq!(
+            strip_some_tags(r#"something <button type="submit"></button>"#),
+            r#"something  type="submit"></button>"#
+        );
+        assert_eq!(
+            strip_some_tags(r#"click <a href="https://example.com">here</a> to win"#),
+            r#"click  href="https://example.com">here</a> to win"#
+        );
+    }
+}

vzdv-site/templates/changelog.jinja

@@ -20,6 +20,7 @@
     <div class="card-text">
       <ul>
         <li>Sr Staff can edit controller feedback before posting (mostly to remove PII).</li>
+        <li>Controller training notes are a bit more lively-looking.</li>
       </ul>
     </div>
   </div>

vzdv/Cargo.toml

@@ -28,6 +28,5 @@ tower-http = { version = "0.5.2", features = ["fs", "timeout"] }
 tower-sessions = "0.12.0"
 tower-sessions-sqlx-store = { version = "0.13.0", features = ["sqlite"] }
 vatsim_utils = "0.5.0"
-voca_rs = "1.15.2"
 fern = { version = "0.6.2", features = ["colored"] }
 humantime = "2.1.0"