Plugin pages render through generic content template

plugins/scholar/scholar.go

@@ -7,8 +7,12 @@ import (
 	"errors"
 	"fmt"
 	"goblog/blog"
+	"html"
 	"log"
+	"net/url"
 	"sort"
+	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -115,12 +119,13 @@ func (p *ScholarPlugin) RenderPage(ctx *gplugin.HookContext, pageType string) (s
 		return "", nil
 	}
 
+	data := gin.H{"has_plugin_content": true}
+
 	settings := ctx.Settings
 	scholarID := settings["scholar_id"]
 	if scholarID == "" {
-		return "page_research.html", gin.H{
-			"errors": "Google Scholar ID not configured. Set it in the Scholar plugin settings.",
-		}
+		data["plugin_content"] = `<div class="alert alert-warning" role="alert">Google Scholar ID not configured. Set it in the Scholar plugin settings.</div>`
+		return "page_content.html", data
 	}
 
 	limitStr := settings["article_limit"]
@@ -132,18 +137,71 @@ func (p *ScholarPlugin) RenderPage(ctx *gplugin.HookContext, pageType string) (s
 	p.ensureScholar(settings)
 
 	articles, err := p.sch.QueryProfileWithMemoryCache(scholarID, limit)
-	data := gin.H{}
-	if err == nil {
-		sortArticlesByDateDesc(articles)
-		p.sch.SaveCache(settings["profile_cache"], settings["article_cache"])
-		data["articles"] = articles
-	} else {
+	if err != nil {
 		log.Printf("Scholar query failed: %v", err)
-		data["articles"] = make([]*scholarlib.Article, 0)
-		data["errors"] = err.Error()
+		data["plugin_content"] = `<div class="alert alert-danger" role="alert">` + html.EscapeString(err.Error()) + `</div>`
+		return "page_content.html", data
+	}
+
+	sortArticlesByDateDesc(articles)
+	p.sch.SaveCache(settings["profile_cache"], settings["article_cache"])
+
+	data["plugin_content"] = renderArticlesHTML(articles)
+	return "page_content.html", data
+}
+
+// safeHref returns the URL only if it uses http or https scheme, otherwise empty.
+func safeHref(rawURL string) string {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return ""
+	}
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return ""
+	}
+	return html.EscapeString(rawURL)
+}
+
+// renderArticlesHTML generates the HTML for the articles list.
+func renderArticlesHTML(articles []*scholarlib.Article) string {
+	if len(articles) == 0 {
+		return `<p>No publications found.</p>`
 	}
 
-	return "page_research.html", data
+	var b strings.Builder
+	for _, a := range articles {
+		b.WriteString(`<div style="margin-bottom: 12px; padding-bottom: 12px; border-bottom: 1px solid #eee;">`)
+
+		// Title — link only if URL is safe
+		href := safeHref(a.ScholarURL)
+		if href != "" {
+			b.WriteString(`<div><a href="` + href + `">` + html.EscapeString(a.Title) + `</a></div>`)
+		} else {
+			b.WriteString(`<div>` + html.EscapeString(a.Title) + `</div>`)
+		}
+
+		if a.Authors != "" {
+			b.WriteString(`<div style="color: #666; font-size: 13px;">` + html.EscapeString(a.Authors) + `</div>`)
+		}
+
+		// Meta line: year · journal · citations
+		var meta []string
+		if a.Year > 0 {
+			meta = append(meta, strconv.Itoa(a.Year))
+		}
+		if a.Journal != "" {
+			meta = append(meta, html.EscapeString(a.Journal))
+		}
+		if a.NumCitations > 0 {
+			meta = append(meta, strconv.Itoa(a.NumCitations)+" citations")
+		}
+		if len(meta) > 0 {
+			b.WriteString(`<div style="color: #888; font-size: 13px;">` + strings.Join(meta, " &middot; ") + `</div>`)
+		}
+
+		b.WriteString(`</div>`)
+	}
+	return b.String()
 }
 
 func (p *ScholarPlugin) ScheduledJobs() []gplugin.ScheduledJob {

plugins/scholar/scholar_test.go

@@ -1,8 +1,10 @@
 package scholar
 
 import (
-	scholarlib "github.com/compscidr/scholar"
+	"strings"
 	"testing"
+
+	scholarlib "github.com/compscidr/scholar"
 )
 
 func TestSortArticlesByDateDesc(t *testing.T) {
@@ -23,3 +25,84 @@ func TestSortArticlesByDateDesc(t *testing.T) {
 		}
 	}
 }
+
+func TestRenderArticlesHTML_Empty(t *testing.T) {
+	result := renderArticlesHTML(nil)
+	if !strings.Contains(result, "No publications found") {
+		t.Errorf("expected 'No publications found' for empty list, got %q", result)
+	}
+}
+
+func TestRenderArticlesHTML_WithArticles(t *testing.T) {
+	articles := []*scholarlib.Article{
+		{
+			Title:        "Test Paper",
+			Authors:      "Alice, Bob",
+			ScholarURL:   "https://scholar.google.com/test",
+			Year:         2024,
+			Journal:      "Test Journal",
+			NumCitations: 42,
+		},
+	}
+	result := renderArticlesHTML(articles)
+
+	if !strings.Contains(result, "Test Paper") {
+		t.Error("expected title in output")
+	}
+	if !strings.Contains(result, "Alice, Bob") {
+		t.Error("expected authors in output")
+	}
+	if !strings.Contains(result, "2024") {
+		t.Error("expected year in output")
+	}
+	if !strings.Contains(result, "Test Journal") {
+		t.Error("expected journal in output")
+	}
+	if !strings.Contains(result, "42 citations") {
+		t.Error("expected citation count in output")
+	}
+	if !strings.Contains(result, `href="https://scholar.google.com/test"`) {
+		t.Error("expected scholar URL in href")
+	}
+}
+
+func TestRenderArticlesHTML_XSSEscaping(t *testing.T) {
+	articles := []*scholarlib.Article{
+		{
+			Title:      `<script>alert("xss")</script>`,
+			Authors:    `Bob "the hacker"`,
+			ScholarURL: "https://scholar.google.com/safe",
+		},
+	}
+	result := renderArticlesHTML(articles)
+
+	if strings.Contains(result, "<script>") {
+		t.Error("title should be HTML-escaped")
+	}
+	if strings.Contains(result, `"the hacker"`) {
+		t.Error("authors should be HTML-escaped")
+	}
+}
+
+func TestSafeHref(t *testing.T) {
+	tests := []struct {
+		input string
+		safe  bool
+	}{
+		{"https://scholar.google.com/test", true},
+		{"http://example.com", true},
+		{"javascript:alert(1)", false},
+		{"data:text/html,<h1>hi</h1>", false},
+		{"ftp://files.example.com", false},
+		{"", false},
+	}
+	for _, tt := range tests {
+		result := safeHref(tt.input)
+		if tt.safe && result == "" {
+			t.Errorf("expected %q to be safe, got empty", tt.input)
+		}
+		if !tt.safe && result != "" {
+			t.Errorf("expected %q to be blocked, got %q", tt.input, result)
+		}
+	}
+}

themes/default/templates/page_content.html

@@ -21,15 +21,18 @@ <h1>{{ .page.Title }}</h1>
     {{ if .is_admin }}
     <p class="text-left"><a href="/admin/pages/{{ .page.ID }}">Edit this page</a></p>
     {{ end }}
+    {{ if .has_plugin_content }}
+    <div id="page-content">{{ .plugin_content | rawHTML }}</div>
+    {{ else }}
     <div id="page-content"></div>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/showdown/2.1.0/showdown.min.js" integrity="sha512-LhccdVNGe2QMEfI3x4DVV3ckMRe36TfydKss6mJpdHjNFiV07dFpS2xzeZedptKZrwxfICJpez09iNioiSZ3hA==" crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.7/purify.min.js" integrity="sha512-78KH17QLT5e55GJqP76vutp1D2iAoy06WcYBXB6iBCsmO6wWzx0Qdg8EDpm8mKXv68BcvHOyeeP4wxAL0twJGQ==" crossorigin="anonymous"></script>
+    <script>
+      var converter = new showdown.Converter({tables: true});
+      var content = {{ .page.Content }};
+      document.getElementById('page-content').innerHTML = DOMPurify.sanitize(converter.makeHtml(content));
+    </script>
+    {{ end }}
   </div>
 
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/showdown/2.1.0/showdown.min.js" integrity="sha512-LhccdVNGe2QMEfI3x4DVV3ckMRe36TfydKss6mJpdHjNFiV07dFpS2xzeZedptKZrwxfICJpez09iNioiSZ3hA==" crossorigin="anonymous"></script>
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.7/purify.min.js" integrity="sha512-78KH17QLT5e55GJqP76vutp1D2iAoy06WcYBXB6iBCsmO6wWzx0Qdg8EDpm8mKXv68BcvHOyeeP4wxAL0twJGQ==" crossorigin="anonymous"></script>
-  <script>
-    var converter = new showdown.Converter({tables: true});
-    var content = {{ .page.Content }};
-    document.getElementById('page-content').innerHTML = DOMPurify.sanitize(converter.makeHtml(content));
-  </script>
-
 {{ template "footer.html" .}}

themes/forest/templates/page_content.html

@@ -5,15 +5,18 @@ <h1>{{ .page.Title }}</h1>
     {{ if .is_admin }}
     <p class="text-left"><a href="/admin/pages/{{ .page.ID }}">Edit this page</a></p>
     {{ end }}
+    {{ if .has_plugin_content }}
+    <div id="page-content">{{ .plugin_content | rawHTML }}</div>
+    {{ else }}
     <div id="page-content"></div>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/showdown/2.1.0/showdown.min.js" integrity="sha512-LhccdVNGe2QMEfI3x4DVV3ckMRe36TfydKss6mJpdHjNFiV07dFpS2xzeZedptKZrwxfICJpez09iNioiSZ3hA==" crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.7/purify.min.js" integrity="sha512-78KH17QLT5e55GJqP76vutp1D2iAoy06WcYBXB6iBCsmO6wWzx0Qdg8EDpm8mKXv68BcvHOyeeP4wxAL0twJGQ==" crossorigin="anonymous"></script>
+    <script>
+      var converter = new showdown.Converter({tables: true});
+      var content = {{ .page.Content }};
+      document.getElementById('page-content').innerHTML = DOMPurify.sanitize(converter.makeHtml(content));
+    </script>
+    {{ end }}
   </div></div>
 
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/showdown/2.1.0/showdown.min.js" integrity="sha512-LhccdVNGe2QMEfI3x4DVV3ckMRe36TfydKss6mJpdHjNFiV07dFpS2xzeZedptKZrwxfICJpez09iNioiSZ3hA==" crossorigin="anonymous"></script>
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.7/purify.min.js" integrity="sha512-78KH17QLT5e55GJqP76vutp1D2iAoy06WcYBXB6iBCsmO6wWzx0Qdg8EDpm8mKXv68BcvHOyeeP4wxAL0twJGQ==" crossorigin="anonymous"></script>
-  <script>
-    var converter = new showdown.Converter({tables: true});
-    var content = {{ .page.Content }};
-    document.getElementById('page-content').innerHTML = DOMPurify.sanitize(converter.makeHtml(content));
-  </script>
-
 {{ template "footer.html" .}}

themes/minimal/templates/page_content.html

@@ -5,15 +5,18 @@ <h1>{{ .page.Title }}</h1>
     {{ if .is_admin }}
     <p class="text-left"><a href="/admin/pages/{{ .page.ID }}">Edit this page</a></p>
     {{ end }}
+    {{ if .has_plugin_content }}
+    <div id="page-content">{{ .plugin_content | rawHTML }}</div>
+    {{ else }}
     <div id="page-content"></div>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/showdown/2.1.0/showdown.min.js" integrity="sha512-LhccdVNGe2QMEfI3x4DVV3ckMRe36TfydKss6mJpdHjNFiV07dFpS2xzeZedptKZrwxfICJpez09iNioiSZ3hA==" crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.7/purify.min.js" integrity="sha512-78KH17QLT5e55GJqP76vutp1D2iAoy06WcYBXB6iBCsmO6wWzx0Qdg8EDpm8mKXv68BcvHOyeeP4wxAL0twJGQ==" crossorigin="anonymous"></script>
+    <script>
+      var converter = new showdown.Converter({tables: true});
+      var content = {{ .page.Content }};
+      document.getElementById('page-content').innerHTML = DOMPurify.sanitize(converter.makeHtml(content));
+    </script>
+    {{ end }}
   </div>
 
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/showdown/2.1.0/showdown.min.js" integrity="sha512-LhccdVNGe2QMEfI3x4DVV3ckMRe36TfydKss6mJpdHjNFiV07dFpS2xzeZedptKZrwxfICJpez09iNioiSZ3hA==" crossorigin="anonymous"></script>
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.7/purify.min.js" integrity="sha512-78KH17QLT5e55GJqP76vutp1D2iAoy06WcYBXB6iBCsmO6wWzx0Qdg8EDpm8mKXv68BcvHOyeeP4wxAL0twJGQ==" crossorigin="anonymous"></script>
-  <script>
-    var converter = new showdown.Converter({tables: true});
-    var content = {{ .page.Content }};
-    document.getElementById('page-content').innerHTML = DOMPurify.sanitize(converter.makeHtml(content));
-  </script>
-
 {{ template "footer.html" .}}