plone · mauritsvanrees · Apr 23, 2024 · Mar 26, 2024 · Mar 26, 2024 · Mar 26, 2024
diff --git a/news/3931.feature b/news/3931.feature
@@ -0,0 +1,8 @@
+Add a field ``webstats_head_js`` to the Site controlpanel and render its
+contents in the head section using ``IHtmlHeadLinks`` viewlet manager.
+See `issue 3931 <https://github.com/plone/Products.CMFPlone/issues/3931>`_:
+some javascript needs to be loaded at the bottom of the page, and some in the head section.
+Fool proofing by filering out <base>-tags, <title>-tags and rendering valid html for the
+remaining tags.
+[jladage]
+
diff --git a/plone/app/layout/analytics/configure.zcml b/plone/app/layout/analytics/configure.zcml
@@ -3,6 +3,13 @@
     xmlns:browser="http://namespaces.zope.org/browser"
     >
 
+  <browser:viewlet
+      name="plone.analytics.head"
+      manager="plone.app.layout.viewlets.interfaces.IHtmlHead"
+      class=".view.AnalyticsHeadViewlet"
+      permission="zope2.View"
+      />
+
   <browser:viewlet
       name="plone.analytics"
       manager="plone.app.layout.viewlets.interfaces.IPortalFooter"

diff --git a/plone/app/layout/analytics/tests/analytics.txt b/plone/app/layout/analytics/tests/analytics.txt
@@ -5,7 +5,7 @@ We need a view on the content.
     >>> from zope.publisher.browser import BrowserView
     >>> view = BrowserView(portal, request)
 
-    >>> from plone.app.layout.viewlets.interfaces import IPortalFooter
+    >>> from plone.app.layout.viewlets.interfaces import IHtmlHead, IPortalFooter
     >>> from Products.Five.viewlet.manager import ViewletManager
     >>> Footer = ViewletManager('left', IPortalFooter)
 
@@ -20,7 +20,7 @@ Now we can instantiate the manager.
 
 When no analytics (webstats_js) code is set up the viewlet will not be rendered:
 
-    >>> analytics.webstats_js == u""
+    >>> analytics.webstats_js == ""
     True
     >>> text = manager.render()
     >>> 'id="plone-analytics"' in text
@@ -46,5 +46,72 @@ Now enter some non-ascii text
 
     >>> site_settings.webstats_js = u"<script>window.title='C\xedsa\u0159'</script>"
     >>> text = manager.render()
-    >>> site_settings.webstats_js in text
+    >>> "<script>window.title='Císař'</script>" in text
+    True
+
+Now instantiate a viewlet manager for the header.
+
+    >>> Head = ViewletManager('left', IHtmlHead)
+    >>> manager = Head(portal, request, view)
+    >>> manager.update()
+    >>> for viewlet in manager.viewlets:
+    ...     if viewlet.__name__ == "plone.analytics.head":
+    ...         analytics_head = viewlet
+    ...         break
+
+When no analytics (webstats_head_js) code is set up the viewlet will not be rendered:
+
+    >>> analytics_head.webstats_js == ""
+    True
+    >>> text = manager.render()
+    >>> 'plone.analytics.head goes here' in text
+    False
+
+Set the analytics code through the controlpanel and verify it renders properly:
+
+    >>> from plone.registry.interfaces import IRegistry
+    >>> from zope.component import getUtility
+    >>> from plone.base.interfaces import ISiteSchema
+    >>> registry = getUtility(IRegistry)
+    >>> site_settings = registry.forInterface(ISiteSchema, prefix="plone")
+    >>> site_settings.webstats_head_js = u"<script>window.title='Hello'</script>"
+    >>> analytics_head.webstats_js == site_settings.webstats_head_js
     True
+    >>> text = manager.render()
+    >>> 'plone.analytics.head goes here' in text
+    True
+    >>> site_settings.webstats_head_js in text
+    True
+
+If we add other tags than script tags, we only render the script tags.
+
+    >>> site_settings.webstats_head_js = u"<script>window.title='Hello'</script><link rel='stylesheet' src='teststyle.css'/>"
+    >>> text = manager.render()
+    >>> "<link rel='stylesheet' src='teststyle.css'/>" in text
+    False
+    >>> site_settings.webstats_head_js in text
+    False
+    >>> "<script>window.title='Hello'</script>" in text
+    True
+
+Now enter some tags we don't want to render, like a <base> and <title> tag,
+since they should occur only once and is set by Plone. <style>, <script> and
+<link> tags are allowed.
+
+    >>> site_settings.webstats_head_js = u"<base href='some-url' /><title>Gets removed</title><link rel='stylesheet' src='teststyle.css' /><script>window.title='C\xedsa\u0159'</script>"
+    >>> text = manager.render()
+    >>> '<link rel="stylesheet" src="teststyle.css">' in text
+    True
+    >>> "<base href='some-url'>" in text
+    False
+    >>> "<title>Gets removed</title>" in text
+    False
+    >>> "<script>window.title='Císař'</script>" in text
+    True
+
+Final check, if we have bogus content in here, will things break?
+
+    >>> site_settings.webstats_head_js = u"console.log('Missing script tag')"
+    >>> text = manager.render()
+    >>> "console.log('Missing script tag')" in text
+    False
diff --git a/plone/app/layout/analytics/view.py b/plone/app/layout/analytics/view.py
@@ -1,3 +1,4 @@
+from lxml import html as lxmlhtml
 from plone.base.interfaces import ISiteSchema
 from plone.registry.interfaces import IRegistry
 from Products.Five.browser import BrowserView
@@ -7,9 +8,13 @@
 from zope.viewlet.interfaces import IViewlet
 
 
+UNWANTED_TAGS = ["base", "title"]
+
+
 @implementer(IViewlet)
 class AnalyticsViewlet(BrowserView):
     render = ViewPageTemplateFile("view.pt")
+    record_name = "webstats_js"
 
     def __init__(self, context, request, view, manager):
         super().__init__(context, request)
@@ -21,11 +26,30 @@ def __init__(self, context, request, view, manager):
     def webstats_js(self):
         registry = getUtility(IRegistry)
         site_settings = registry.forInterface(ISiteSchema, prefix="plone", check=False)
-        try:
-            return site_settings.webstats_js or ""
-        except AttributeError:
-            return ""
+        stats = getattr(site_settings, self.record_name, "")
+        html = ""
+        if stats != "":
+            try:
+                html = lxmlhtml.fragment_fromstring(stats, create_parent="div")
+            except Exception:
+                return ""
+
+            query = "| //".join(UNWANTED_TAGS)
+            bad_tags = html.xpath(f"//{query}")
+            if bad_tags:
+                for bad_tag in bad_tags:
+                    bad_tag.drop_tree()
+            return "\n".join(
+                lxmlhtml.tostring(x, encoding="unicode") for x in html.iterchildren()
+            )
+        return ""
 
     def update(self):
         """The viewlet manager _updateViewlets requires this method"""
         pass
+
+
+@implementer(IViewlet)
+class AnalyticsHeadViewlet(AnalyticsViewlet):
+    render = ViewPageTemplateFile("view_head.pt")
+    record_name = "webstats_head_js"
diff --git a/plone/app/layout/analytics/view_head.pt b/plone/app/layout/analytics/view_head.pt
@@ -0,0 +1,9 @@
+<div tal:define="
+       webstats_head_js view/webstats_js;
+     "
+     tal:condition="webstats_head_js"
+     tal:omit-tag=""
+>
+  <!-- plone.analytics.head goes here -->
+  <span tal:replace="structure webstats_head_js"></span>
+</div>
diff --git a/plone/app/layout/links/viewlets.py b/plone/app/layout/links/viewlets.py
@@ -42,7 +42,11 @@ class FaviconViewlet(ViewletBase):
 
     def init_favicon(self) -> NoReturn:
         registry = getUtility(IRegistry)
-        settings: ISiteSchema = registry.forInterface(ISiteSchema, prefix="plone")
+        settings: ISiteSchema = registry.forInterface(
+            ISiteSchema,
+            prefix="plone",
+            check=False,
+        )
         self.mimetype: str = getattr(
             settings, "site_favicon_mimetype", "image/vnd.microsoft.icon"
         )

diff --git a/plone/app/layout/viewlets/content.py b/plone/app/layout/viewlets/content.py
@@ -70,6 +70,7 @@ def show(self):
         settings = registry.forInterface(
             ISiteSchema,
             prefix="plone",
+            check=False,
         )
         return not self.anonymous or settings.display_publication_date_in_byline
 
@@ -145,7 +146,7 @@ def pub_date(self):
         """
         # check if we are allowed to display publication date
         registry = getUtility(IRegistry)
-        settings = registry.forInterface(ISiteSchema, prefix="plone")
+        settings = registry.forInterface(ISiteSchema, prefix="plone", check=False)
 
         if not settings.display_publication_date_in_byline:
             return None
@@ -281,7 +282,7 @@ def pub_date(self):
         """
         # check if we are allowed to display publication date
         registry = getUtility(IRegistry)
-        settings = registry.forInterface(ISiteSchema, prefix="plone")
+        settings = registry.forInterface(ISiteSchema, prefix="plone", check=False)
 
         if not settings.display_publication_date_in_byline:
             return None

diff --git a/plone/app/layout/viewlets/document_byline.pt b/plone/app/layout/viewlets/document_byline.pt
@@ -1,23 +1,27 @@
 <section id="section-byline"
-  tal:condition="view/show"
-  i18n:domain="plone">
+         tal:condition="view/show"
+         i18n:domain="plone"
+>
   <tal:creators tal:define="
                   creator_ids here/creators;
                   navigation_root_url context/@@plone_portal_state/navigation_root_url;
                 "
-    tal:condition="python:creator_ids and view.show_about()">
+                tal:condition="python:creator_ids and view.show_about()"
+  >
     <span class="label-by-author">
       <tal:i18n i18n:translate="">by</tal:i18n>
       <tal:for repeat="user_id creator_ids">
         <tal:user define="
-                  url_path python: view.get_url_path(user_id);
-                  fullname python:view.get_fullname(user_id);
-                ">
+                    url_path python: view.get_url_path(user_id);
+                    fullname python:view.get_fullname(user_id);
+                  ">
           <a class="badge rounded-pill bg-light text-dark fw-normal fs-6"
-            href="${navigation_root_url}/${url_path}"
-            tal:condition="url_path">${fullname}</a>
+             href="${navigation_root_url}/${url_path}"
+             tal:condition="url_path"
+          >${fullname}</a>
           <span class="badge rounded-pill bg-light text-dark fw-normal fs-6"
-            tal:condition="not:url_path">${fullname}</span>
+                tal:condition="not:url_path"
+          >${fullname}</span>
         </tal:user>
       </tal:for>
     &mdash;
@@ -30,14 +34,16 @@
                show_modification_date python:view.show_modification_date();
              ">
     <span class="documentPublished"
-      tal:condition="published">
+          tal:condition="published"
+    >
       <span i18n:translate="box_published">published</span>
       <span tal:content="python:context.toLocalizedTime(published)">Published</span>
       <tal:sep condition="show_modification_date">,</tal:sep>
     </span>
 
     <span class="documentModified"
-      tal:condition="show_modification_date">
+          tal:condition="show_modification_date"
+    >
       <span i18n:translate="box_last_modified">
       last modified
       </span>
@@ -50,7 +56,8 @@
   <tal:expired tal:condition="view/isExpired">
     &mdash;
     <span class="state-expired"
-      i18n:translate="time_expired">expired</span>
+          i18n:translate="time_expired"
+    >expired</span>
   </tal:expired>
 
 </section>
diff --git a/setup.py b/setup.py
@@ -59,6 +59,7 @@
         "Products.ZCatalog",
         "setuptools",
         "Zope",
+        "lxml",
     ],
     extras_require=dict(
         test=[
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,6 +59,7 @@ @@
             "Products.ZCatalog",
             "setuptools",
             "Zope",
+            "lxml",
         ],
         extras_require=dict(
             test=[
@@ Expand Down @@