hypermail/

templates.rs

use std::collections::HashMap;
use std::fs;
use std::path::Path;

use crate::i18n::I18n;

pub type CookieMap = HashMap<String, String>;

/// Data for original hypermail-style `%x` single-character template substitution,
/// matching the `printfile()` function in the original hypermail `printfile.c`.
pub struct PrintfileData<'a> {
    /// Archive label (%l)
    pub label: &'a str,
    /// Message subject text — HTML-escaped where needed (%s, %S)
    pub subject: &'a str,
    /// Output directory (%~)
    pub dir: &'a str,
    /// Author display name (%A combined with email)
    pub name: Option<&'a str>,
    /// Author email address (%e, %A)
    pub email: Option<&'a str>,
    /// Message-ID (%i)
    pub msgid: Option<&'a str>,
    /// Charset (%c)
    pub charset: Option<&'a str>,
    /// ISO date string for meta tag (%D)
    pub date: Option<&'a str>,
    /// Human-readable date string for display (%d)
    pub display_date: Option<&'a str>,
    /// HTML filename of the current page (%f)
    pub filename: Option<&'a str>,
    /// Other-archives URL (%a)
    pub archives: Option<&'a str>,
    /// About-archive URL (%b)
    pub about: Option<&'a str>,
    /// Mailto address (%m)
    pub mailto: Option<&'a str>,
    /// Language code (%G)
    pub language: &'a str,
    /// Relative path from current page back to the top-level index (%t)
    pub rel_path_to_top: &'a str,
}

const HMURL: &str = "https://www.hypermail-project.org/";
const PROGNAME: &str = "hypermail-rs";
const VERSION: &str = env!("CARGO_PKG_VERSION");

/// Perform original hypermail `printfile()`-style `%x` substitution on a template string.
///
/// Supported escapes:
/// - `%%` → `%`
/// - `\n` → newline, `\t` → tab
/// - `%~` → output directory
/// - `%a` → other-archives URL
/// - `%b` → about-archive URL
/// - `%c` → charset `<meta>` tag
/// - `%D` → date `<meta name="Date">` tag (message pages only)
/// - `%e` → author email address
/// - `%f` → filename
/// - `%g` → current date/time string
/// - `%G` → two-letter language code
/// - `%h` → hypermail homepage URL
/// - `%i` → Message-ID
/// - `%l` → archive label
/// - `%m` → mailto address
/// - `%p` → program name
/// - `%s` → subject (HTML-escaped)
/// - `%S` → subject `<meta name="Subject">` tag (message pages only)
/// - `%A` → author `<meta name="Author">` tag (message pages only)
/// - `%t` → relative path to top-level index
/// - `%v` → version string
/// - `%u` → expanded version link `<a href=...>progname version</a>`
pub fn substitute_printfile(template: &str, data: &PrintfileData<'_>) -> String {
    let mut result = String::with_capacity(template.len() + 256);
    let bytes = template.as_bytes();
    let mut i = 0;

    while i < bytes.len() {
        let b = bytes[i];
        if b == b'\\' && i + 1 < bytes.len() {
            match bytes[i + 1] {
                b'n' => {
                    result.push('\n');
                    i += 2;
                },
                b't' => {
                    result.push('\t');
                    i += 2;
                },
                _ => {
                    result.push(b as char);
                    i += 1;
                },
            }
        } else if b == b'%' && i + 1 < bytes.len() {
            let next = bytes[i + 1] as char;
            match next {
                '%' => {
                    result.push('%');
                    i += 2;
                },
                '~' => {
                    result.push_str(data.dir);
                    i += 2;
                },
                'a' => {
                    if let Some(a) = data.archives {
                        result.push_str(a);
                    }
                    i += 2;
                },
                'b' => {
                    if let Some(b_url) = data.about {
                        result.push_str(b_url);
                    }
                    i += 2;
                },
                'c' => {
                    if let Some(cs) = data.charset {
                        if !cs.is_empty() {
                            result.push_str(&format!(
                                "<meta http-equiv=\"Content-Type\" content=\"text/html; charset={}\" />\n",
                                cs
                            ));
                        }
                    }
                    i += 2;
                },
                'D' => {
                    if let Some(date) = data.date {
                        result.push_str(&format!("<meta name=\"Date\" content=\"{}\" />", date));
                    }
                    i += 2;
                },
                'e' => {
                    if let Some(email) = data.email {
                        result.push_str(email);
                    }
                    i += 2;
                },
                'f' => {
                    if let Some(fname) = data.filename {
                        result.push_str(fname);
                    }
                    i += 2;
                },
                'g' => {
                    result.push_str(&get_local_time_str());
                    i += 2;
                },
                'G' => {
                    result.push_str(data.language);
                    i += 2;
                },
                'h' => {
                    result.push_str(HMURL);
                    i += 2;
                },
                'i' => {
                    if let Some(msgid) = data.msgid {
                        result.push_str(msgid);
                    }
                    i += 2;
                },
                'l' => {
                    result.push_str(data.label);
                    i += 2;
                },
                'm' => {
                    if let Some(mailto) = data.mailto {
                        result.push_str(mailto);
                    }
                    i += 2;
                },
                'p' => {
                    result.push_str(PROGNAME);
                    i += 2;
                },
                's' => {
                    result.push_str(&crate::txt2html::escape_html(data.subject));
                    i += 2;
                },
                'S' => {
                    result.push_str(&format!(
                        "<meta name=\"Subject\" content=\"{}\" />",
                        crate::txt2html::escape_html(data.subject)
                    ));
                    i += 2;
                },
                'A' => {
                    if let (Some(name), Some(email)) = (data.name, data.email) {
                        result.push_str(&format!(
                            "<meta name=\"Author\" content=\"{} ({})\" />",
                            crate::txt2html::escape_html(name),
                            email
                        ));
                    }
                    i += 2;
                },
                // %n → plain-text author name (no markup)
                'n' => {
                    if let Some(name) = data.name {
                        result.push_str(&crate::txt2html::escape_html(name));
                    }
                    i += 2;
                },
                // %d → plain-text date string for display (human-readable, no markup)
                'd' => {
                    if let Some(date) = data.display_date {
                        result.push_str(&crate::txt2html::escape_html(date));
                    }
                    i += 2;
                },
                // %y → i18n-translated "Author:" label (language-aware)
                'y' => {
                    let i18n = I18n::new(data.language);
                    result.push_str(i18n.get("Author:"));
                    i += 2;
                },
                // %N → author name + email as linked HTML: Name &lt;<a href="mailto:addr">addr</a>&gt;
                'N' => {
                    match (data.name, data.email) {
                        (Some(name), Some(addr)) if !addr.is_empty() => {
                            let esc_name = crate::txt2html::escape_html(name);
                            let esc_addr = crate::txt2html::escape_html(addr);
                            result.push_str(&format!(
                                "{} &lt;<a href=\"mailto:{}\">{}</a>&gt;",
                                esc_name, esc_addr, esc_addr
                            ));
                        },
                        (Some(name), _) => {
                            result.push_str(&crate::txt2html::escape_html(name));
                        },
                        _ => {},
                    }
                    i += 2;
                },
                't' => {
                    result.push_str(data.rel_path_to_top);
                    i += 2;
                },
                'v' => {
                    result.push_str(VERSION);
                    i += 2;
                },
                'u' => {
                    result.push_str(&format!("<a href=\"{}\">{} {}</a>", HMURL, PROGNAME, VERSION));
                    i += 2;
                },
                _ => {
                    result.push('%');
                    result.push(next);
                    i += 2;
                },
            }
        } else {
            // Correctly advance through multi-byte UTF-8 sequences.
            // `b as char` would silently produce Latin-1 mojibake for non-ASCII bytes.
            let ch = template[i..].chars().next().unwrap_or('\u{FFFD}');
            result.push(ch);
            i += ch.len_utf8();
        }
    }

    result
}

fn get_local_time_str() -> String {
    use std::time::{SystemTime, UNIX_EPOCH};
    let secs = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .map(|d| d.as_secs() as i64)
        .unwrap_or(0);
    crate::date::get_date_str(secs, None, false, false, false, "en")
}

/// Escape a string for safe use inside an HTML attribute value (double-quote delimited).
fn escape_attr(s: &str) -> String {
    let mut result = String::with_capacity(s.len());
    for c in s.chars() {
        match c {
            '&' => result.push_str("&amp;"),
            '"' => result.push_str("&quot;"),
            '<' => result.push_str("&lt;"),
            '>' => result.push_str("&gt;"),
            '\'' => result.push_str("&#39;"),
            c => result.push(c),
        }
    }
    result
}

/// Replaces `%KEY%` placeholders in a template with values from the cookie map.
///
/// # Security
///
/// Uses single-pass scanning to prevent cascade expansion (second-order injection).
pub fn substitute_cookies(template: &str, cookies: &CookieMap) -> String {
    // SEC-4: Single-pass scan of the ORIGINAL template to prevent cascade expansion.
    // A cookie value containing %OTHER_KEY% is written verbatim into the result
    // without being re-scanned, so no second-order template injection is possible.
    let mut result = String::with_capacity(template.len() * 2);
    let chars: Vec<char> = template.chars().collect();
    let mut i = 0;
    while i < chars.len() {
        if chars[i] == '%' {
            // look for closing %
            let start = i + 1;
            let mut j = start;
            while j < chars.len() && chars[j] != '%' && chars[j] != '\n' {
                j += 1;
            }
            if j < chars.len() && chars[j] == '%' && j > start {
                let key: String = chars[start..j].iter().collect();
                if let Some(val) = cookies.get(key.as_str()) {
                    result.push_str(val);
                    i = j + 1;
                    continue;
                }
            }
        }
        result.push(chars[i]);
        i += 1;
    }
    result
}

/// Sets a key-value pair in the cookie map.
pub fn set_cookie(cookies: &mut CookieMap, key: &str, value: &str) {
    cookies.insert(key.to_string(), value.to_string());
}

/// Removes a key from the cookie map.
pub fn unset_cookie(cookies: &mut CookieMap, key: &str) {
    cookies.remove(key);
}

/// Note: CSP includes 'unsafe-inline' in style-src because embedded images in txt2html.rs
/// use inline style attributes (style="max-width:100%;height:auto") for responsive sizing.
pub fn default_header_template() -> &'static str {
    "<!DOCTYPE html>
<html lang=\"%LANG%\" %HTMLATTRS%>
<head>
<meta charset=\"utf-8\">
<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">
<meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; frame-src 'none'; object-src 'none'; connect-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com\">
<link rel=\"preconnect\" href=\"https://fonts.googleapis.com\">
<link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin>
<link rel=\"stylesheet\" href=\"https://fonts.googleapis.com/css2?family=Noto+Sans:ital,wght@0,300..900;1,300..900&display=swap\">
<title>%TITLE%</title>
<meta name=\"generator\" content=\"hypermail-rs\">
%STYLESHEET%
<style>
:root{--font-body:\"Noto Sans\",\"Inter\",system-ui,-apple-system,BlinkMacSystemFont,\"Segoe UI\",\"Helvetica Neue\",Roboto,\"Liberation Sans\",Arial,sans-serif,\"Apple Color Emoji\",\"Segoe UI Emoji\",\"Noto Color Emoji\";--font-mono:ui-monospace,\"Cascadia Code\",\"Source Code Pro\",Menlo,Consolas,\"DejaVu Sans Mono\",\"Liberation Mono\",\"Courier New\",monospace;--font-size-sm:.85rem;--font-size-base:clamp(.95rem,1rem + .25vw,1.15rem);--font-size-lg:1rem;--line-height:1.5;--max-width:68rem;--border-radius:6px;--color-bg:#000;--color-text:#f1f5f9;--color-link:#60a5fa;--color-link-visited:#a78bfa;--color-link-hover:#93c5fd;--color-muted:#94a3b8;--color-border:#334155;--color-bg-subtle:#111827;--color-bg-code:#1e293b;--color-deleted:#f87171;--color-quote-border-1:#475569;--color-quote-border-2:#475569;--color-quote-border-3:#334155;--color-skip-bg:var(--color-link);--color-skip-text:#000}
@media(prefers-color-scheme:light){:root:not([data-theme]){--color-bg:#fff;--color-text:#111827;--color-link:#2563eb;--color-link-visited:#7c3aed;--color-link-hover:#1d4ed8;--color-muted:#475569;--color-border:#e2e8f0;--color-bg-subtle:#f8fafc;--color-bg-code:#f1f5f9;--color-deleted:#dc2626;--color-quote-border-1:#cbd5e1;--color-quote-border-2:#94a3b8;--color-quote-border-3:#64748b;--color-skip-bg:var(--color-link);--color-skip-text:#fff}}
[data-theme=\"light\"]{--color-bg:#fff;--color-text:#111827;--color-link:#2563eb;--color-link-visited:#7c3aed;--color-link-hover:#1d4ed8;--color-muted:#475569;--color-border:#e2e8f0;--color-bg-subtle:#f8fafc;--color-bg-code:#f1f5f9;--color-deleted:#dc2626;--color-quote-border-1:#cbd5e1;--color-quote-border-2:#94a3b8;--color-quote-border-3:#64748b;--color-skip-bg:var(--color-link);--color-skip-text:#fff}
[data-theme=\"dark\"]{--color-bg:#000;--color-text:#f1f5f9;--color-link:#60a5fa;--color-link-visited:#a78bfa;--color-link-hover:#93c5fd;--color-muted:#94a3b8;--color-border:#334155;--color-bg-subtle:#111827;--color-bg-code:#1e293b;--color-deleted:#f87171;--color-quote-border-1:#475569;--color-quote-border-2:#475569;--color-quote-border-3:#334155;--color-skip-bg:var(--color-link);--color-skip-text:#000}
@media(prefers-contrast:more){:root{--color-muted:var(--color-text);--color-border:var(--color-text)}[data-theme=\"light\"],:root:not([data-theme]){--color-link:inherit;--color-link-visited:inherit}}
*,*::before,*::after{box-sizing:border-box}
@media(prefers-reduced-motion:no-preference){html{scroll-behavior:smooth}}
body{font-family:var(--font-body);font-size:var(--font-size-base);line-height:var(--line-height);color:var(--color-text);background:var(--color-bg);margin:0;padding:0;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;text-rendering:optimizeLegibility}
main#content{max-width:var(--max-width);margin:0 auto;padding:0 1.25rem}
a{color:var(--color-link);transition:color .15s ease}
a:focus-visible{outline:2px solid var(--color-link);outline-offset:2px;border-radius:2px}
a:hover{text-decoration:underline;color:var(--color-link-hover)}
a:visited{color:var(--color-link-visited)}
img{max-width:100%;height:auto;display:block}
hr{border:none;border-top:1px solid var(--color-border);margin:1.25rem 0}
pre,code{font-family:var(--font-mono);font-size:.875em;background:var(--color-bg-code);padding:.2em .4em;border-radius:var(--border-radius)}
pre{padding:1em;overflow-x:auto;-webkit-overflow-scrolling:touch;border:1px solid var(--color-border);background:var(--color-bg-code);line-height:1.5}
pre code{background:none;padding:0;border:none;font-size:1em}
kbd{padding:.15em .4em;border:1px solid var(--color-border);border-radius:var(--border-radius);font-size:.875em;font-family:var(--font-mono)}
samp,tt{font-family:var(--font-mono);font-size:.875em}
blockquote{margin:.5rem .75rem;padding:.25rem .75rem;border-left:3px solid var(--color-quote-border-2);background:var(--color-bg-subtle);border-radius:0 var(--border-radius) var(--border-radius) 0}
blockquote blockquote{margin-left:0}
.hm-skip{position:absolute;top:-100px;left:0;background:var(--color-skip-bg);color:var(--color-skip-text);padding:.5rem 1rem;z-index:100;text-decoration:none;border-radius:0 0 var(--border-radius) 0}
.hm-skip:focus{top:0;color:var(--color-skip-text)}.hm-nav{background:var(--color-bg-subtle);border-bottom:1px solid var(--color-border);padding:.75rem 1rem}
.hm-nav a{margin-right:1rem;font-size:var(--font-size-sm);display:inline-block;padding:.2rem 0}
.hm-nav a:not(:last-child)::after{content:\"\";display:none}
.hm-msg-header{width:100%;border-collapse:collapse;margin:1.25rem 0}
.hm-msg-header th,.hm-msg-header td{padding:.45rem .75rem;text-align:left;vertical-align:top;border-bottom:1px solid var(--color-border)}
.hm-msg-header th{white-space:nowrap;color:var(--color-muted);font-size:var(--font-size-sm);width:8rem;font-weight:600;text-transform:uppercase;letter-spacing:.025em}
.hm-msg-header td{font-size:var(--font-size-lg);word-break:break-word}
.hm-msg-sep{border:none;border-top:2px solid var(--color-border);margin:1.5rem 0}
.hm-pg{padding:0;font-family:var(--font-body);font-size:1em;line-height:var(--line-height);white-space:pre-wrap;word-wrap:break-word}
.hm-blank{display:none}
.hm-quote-1,.hm-quote-2,.hm-quote-3,.hm-quote-4,.hm-quote-5,.hm-quote-6,.hm-quote-7,.hm-quote-8,.hm-quote-9{padding:.2rem .75rem;font-family:var(--font-body);font-size:.95em;line-height:var(--line-height);white-space:pre-wrap;word-wrap:break-word;font-style:italic}
.hm-sig-text{padding:.1rem .75rem;font-family:var(--font-mono);font-size:.85em;line-height:1.4;white-space:pre-wrap;word-wrap:break-word;color:var(--color-muted)}
.hm-quote-1{background:var(--color-bg-subtle);border-left:3px solid var(--color-quote-border-1)}
.hm-quote-2{background:var(--color-bg-subtle);border-left:3px solid var(--color-quote-border-2)}
.hm-quote-3{background:var(--color-bg-subtle);border-left:3px solid var(--color-quote-border-3)}
.hm-quote-4,.hm-quote-5,.hm-quote-6,.hm-quote-7,.hm-quote-8,.hm-quote-9{background:var(--color-bg-subtle);border-left:3px solid var(--color-quote-border-1)}
.hm-sig{border:none;border-top:1px solid var(--color-border);margin:1rem .75rem;width:4rem}
.hm-deleted{color:var(--color-deleted);font-style:italic;padding:.5rem .75rem}
.hm-attachment{margin:.5rem .75rem;padding:.5rem;background:var(--color-bg-subtle);border:1px solid var(--color-border);border-radius:var(--border-radius)}
.hm-attachment summary{font-weight:600;cursor:pointer;color:var(--color-muted);padding:.25rem}
.hm-attachment summary:hover{color:var(--color-text)}
.hm-index{padding:0 .75rem}
.hm-index li{margin:0;line-height:1.4}
.hm-index a,.hm-thread-list a{display:inline-block;padding:0}
.hm-reply-list{list-style:none;padding:0 .75rem;margin:.25rem 0}
.hm-reply-list li{margin:0;font-size:var(--font-size-sm);line-height:1.4}
.hm-reply-list li::before{content:\"\\21AA\";margin-right:.35rem;color:var(--color-muted)}
.hm-thread-children{list-style:disc;padding-left:1.5rem;margin:.15rem 0;border-left:2px solid var(--color-border)}
.hm-thread-children li{margin:0;line-height:1.4}
.hm-hdrlabel{font-weight:600}
.hm-breadcrumb{font-size:var(--font-size-sm);color:var(--color-muted);padding:.5rem 0}
.hm-breadcrumb a{color:var(--color-link)}
.hm-generator{text-align:center;font-size:.7rem;color:var(--color-muted);margin:1rem 0}
.hm-sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}
@media(max-width:640px){main#content{padding:0 .5rem}.hm-msg-header,.hm-msg-header tbody,.hm-msg-header tr,.hm-msg-header th,.hm-msg-header td{display:block;width:auto}.hm-msg-header th{width:auto;background:var(--color-bg-subtle)}.hm-msg-header td{padding-left:.75rem}.hm-nav{padding:.5rem}.hm-nav a{display:inline-block;margin:.25rem .5rem}}
@media print{body{font-size:10pt;color:#000;background:#fff;--color-link:#000;--color-link-visited:#000;--color-muted:#000;--color-border:#ccc}a{color:#000;text-decoration:underline}.hm-nav,.hm-skip,.hm-reply-list,.hm-theme-toggle,.hm-a11y-trigger,.hm-a11y-bar{display:none}.hm-msg-header th{color:#000}pre,code{background:#f5f5f5;border:1px solid #ccc}blockquote{border-left-color:#ccc}}
.hm-theme-toggle{position:fixed;bottom:1rem;right:1rem;background:var(--color-bg-subtle);border:1px solid var(--color-border);border-radius:var(--border-radius);padding:.4rem .6rem;cursor:pointer;font-size:1.1rem;color:var(--color-text);z-index:50;line-height:1}
.hm-theme-toggle:hover{background:var(--color-border)}
.hm-theme-toggle:focus-visible{outline:2px solid var(--color-link);outline-offset:2px}
.hm-a11y-bar{position:fixed;bottom:1rem;right:3.5rem;display:flex;gap:.25rem;align-items:center;background:var(--color-bg-subtle);border:1px solid var(--color-border);border-radius:var(--border-radius);padding:.3rem .5rem;z-index:50;opacity:0;pointer-events:none;transition:opacity .2s}
.hm-a11y-bar.open{opacity:1;pointer-events:auto}
.hm-a11y-bar button{background:none;border:1px solid var(--color-border);border-radius:var(--border-radius);padding:.25rem .45rem;cursor:pointer;font-size:.85rem;color:var(--color-text);line-height:1}
.hm-a11y-bar button:hover{background:var(--color-border)}
.hm-a11y-bar button:focus-visible{outline:2px solid var(--color-link);outline-offset:1px}
.hm-a11y-bar button[aria-pressed=\"true\"]{background:var(--color-link);color:var(--color-bg);border-color:var(--color-link)}
.hm-a11y-trigger{position:fixed;bottom:1rem;right:3.5rem;background:var(--color-bg-subtle);border:1px solid var(--color-border);border-radius:var(--border-radius);padding:.4rem .6rem;cursor:pointer;font-size:.9rem;color:var(--color-text);z-index:50;line-height:1}
.hm-a11y-trigger:hover{background:var(--color-border)}
.hm-a11y-trigger:focus-visible{outline:2px solid var(--color-link);outline-offset:2px}
[data-font-size=\"small\"]{--font-size-base:.9rem;--font-size-sm:.8rem;--font-size-lg:.9rem}
[data-font-size=\"large\"]{--font-size-base:1.2rem;--font-size-sm:1rem;--font-size-lg:1.15rem}
[data-font-size=\"xlarge\"]{--font-size-base:1.4rem;--font-size-sm:1.15rem;--font-size-lg:1.3rem}
[data-line-height=\"compact\"]{--line-height:1.3}
[data-line-height=\"relaxed\"]{--line-height:1.9}
[data-dyslexic] body{font-family:\"OpenDyslexic\",\"Comic Sans MS\",var(--font-body);letter-spacing:.05em;word-spacing:.15em}
</style>
<script>
(function(){var d=document.documentElement,k='hm-theme',b;function t(){var c=d.getAttribute('data-theme');var n=c==='dark'?'light':'dark';d.setAttribute('data-theme',n);try{localStorage.setItem(k,n)}catch(e){}if(b)b.setAttribute('aria-label','Switch to '+(n==='dark'?'light':'dark')+' mode')}try{var s=localStorage.getItem(k);if(s)d.setAttribute('data-theme',s)}catch(e){}try{var fs=localStorage.getItem('hm-font-size');if(fs)d.setAttribute('data-font-size',fs);var lh=localStorage.getItem('hm-line-height');if(lh)d.setAttribute('data-line-height',lh);if(localStorage.getItem('hm-dyslexic')==='1')d.setAttribute('data-dyslexic','')}catch(e){}document.addEventListener('DOMContentLoaded',function(){b=document.querySelector('.hm-theme-toggle');if(b)b.addEventListener('click',t);var trig=document.querySelector('.hm-a11y-trigger'),bar=document.querySelector('.hm-a11y-bar');if(trig&&bar){trig.addEventListener('click',function(){bar.classList.toggle('open');trig.setAttribute('aria-expanded',bar.classList.contains('open'))})}var sizes=['small','','large','xlarge'],si=sizes.indexOf(d.getAttribute('data-font-size')||'');if(si<0)si=1;document.querySelector('[data-a11y=\"size-up\"]')&&document.querySelector('[data-a11y=\"size-up\"]').addEventListener('click',function(){si=Math.min(si+1,3);var v=sizes[si];if(v){d.setAttribute('data-font-size',v);try{localStorage.setItem('hm-font-size',v)}catch(e){}}else{d.removeAttribute('data-font-size');try{localStorage.removeItem('hm-font-size')}catch(e){}}});document.querySelector('[data-a11y=\"size-down\"]')&&document.querySelector('[data-a11y=\"size-down\"]').addEventListener('click',function(){si=Math.max(si-1,0);var v=sizes[si];if(v){d.setAttribute('data-font-size',v);try{localStorage.setItem('hm-font-size',v)}catch(e){}}else{d.removeAttribute('data-font-size');try{localStorage.removeItem('hm-font-size')}catch(e){}}});var lhStates=['compact','','relaxed'],li=lhStates.indexOf(d.getAttribute('data-line-height')||'');if(li<0)li=1;var lhBtn=document.querySelector('[data-a11y=\"line-height\"]');function updLh(){if(lhBtn)lhBtn.setAttribute('aria-pressed',li!==1?'true':'false')}updLh();lhBtn&&lhBtn.addEventListener('click',function(){li=(li+1)%3;var v=lhStates[li];if(v){d.setAttribute('data-line-height',v);try{localStorage.setItem('hm-line-height',v)}catch(e){}}else{d.removeAttribute('data-line-height');try{localStorage.removeItem('hm-line-height')}catch(e){}}updLh()});var dyBtn=document.querySelector('[data-a11y=\"dyslexic\"]');function updDy(){if(dyBtn)dyBtn.setAttribute('aria-pressed',d.hasAttribute('data-dyslexic')?'true':'false')}updDy();dyBtn&&dyBtn.addEventListener('click',function(){if(d.hasAttribute('data-dyslexic')){d.removeAttribute('data-dyslexic');try{localStorage.removeItem('hm-dyslexic')}catch(e){}}else{d.setAttribute('data-dyslexic','');try{localStorage.setItem('hm-dyslexic','1')}catch(e){}}updDy()});var resetBtn=document.querySelector('[data-a11y=\"reset\"]');resetBtn&&resetBtn.addEventListener('click',function(){si=1;li=1;d.removeAttribute('data-font-size');d.removeAttribute('data-line-height');d.removeAttribute('data-dyslexic');try{localStorage.removeItem('hm-font-size');localStorage.removeItem('hm-line-height');localStorage.removeItem('hm-dyslexic')}catch(e){}updLh();updDy()})})})();
</script>
%METADATA%
</head>
<body>
<a class=\"hm-skip\" href=\"#content\">Skip to content</a>
<button class=\"hm-theme-toggle\" aria-label=\"Switch to light mode\" title=\"Toggle dark/light mode\">&#9681;</button>
<button class=\"hm-a11y-trigger\" aria-label=\"Accessibility options\" aria-expanded=\"false\" title=\"Accessibility\">Aa</button>
<div class=\"hm-a11y-bar\" role=\"toolbar\" aria-label=\"Accessibility controls\"><button data-a11y=\"size-down\" aria-label=\"Decrease font size\" title=\"Smaller\">A&#8595;</button><button data-a11y=\"size-up\" aria-label=\"Increase font size\" title=\"Larger\">A&#8593;</button><button data-a11y=\"line-height\" aria-label=\"Toggle line spacing\" aria-pressed=\"false\" title=\"Line spacing\">&#9776;</button><button data-a11y=\"dyslexic\" aria-label=\"Toggle dyslexia-friendly font\" aria-pressed=\"false\" title=\"Dyslexia font\">Dy</button><button data-a11y=\"reset\" aria-label=\"Reset accessibility settings\" title=\"Reset\">&#8634;</button></div>
%BODYHEADER%
%BODYHEADEREND%
%NAVIGATION%
<main id=\"content\">
"
}

/// Returns the default footer HTML template.
pub fn default_footer_template() -> &'static str {
    "
</main>
%NAVIGATION%
<footer role=\"contentinfo\">
%BODYFOOTER%
%GENERATOR%
</footer>
</body>
</html>"
}

/// Returns the default article body template (`%ARTICLE%`).
pub fn default_article_template() -> &'static str {
    "%ARTICLE%
"
}

/// Loads the article template from `.hm_article` in `dir`, or returns the default.
pub fn load_article_template(dir: &str) -> String {
    let path = Path::new(dir).join(".hm_article");
    fs::read_to_string(&path).unwrap_or_else(|_| default_article_template().to_string())
}

/// Loads the header template from `.hm_header` in `dir`, or returns the default.
pub fn load_header_template(dir: &str) -> String {
    let path = Path::new(dir).join(".hm_header");
    fs::read_to_string(&path).unwrap_or_else(|_| default_header_template().to_string())
}

/// Loads the footer template from `.hm_footer` in `dir`, or returns the default.
pub fn load_footer_template(dir: &str) -> String {
    let path = Path::new(dir).join(".hm_footer");
    fs::read_to_string(&path).unwrap_or_else(|_| default_footer_template().to_string())
}

/// Loads a template file by path, returning `None` if it cannot be read.
pub fn load_template(path: &str) -> Option<String> {
    std::fs::read_to_string(path).ok()
}

/// Builds the initial cookie map with standard header values (title, stylesheet, metadata, etc.).
pub fn get_header_cookies(config: &crate::config::Config, title: &str) -> CookieMap {
    let mut cookies = CookieMap::new();
    set_cookie(&mut cookies, "TITLE", title);

    let stylesheet = if let Some(ref css) = config.css {
        let css_path = if !css.starts_with("http") && !css.starts_with('/') {
            config.css_path()
        } else {
            css.clone()
        };
        let mut tag = String::from("<link rel=\"stylesheet\" type=\"text/css\" href=\"");
        tag.push_str(&escape_attr(&css_path));
        tag.push_str("\">\n");
        tag
    } else {
        String::new()
    };
    set_cookie(&mut cookies, "STYLESHEET", &stylesheet);

    let metadata = if let Some(ref desc) = config.description {
        let mut tag = String::from("<meta name=\"description\" content=\"");
        tag.push_str(&crate::txt2html::escape_html(desc));
        tag.push_str("\">\n");
        tag
    } else {
        String::new()
    };
    set_cookie(&mut cookies, "METADATA", &metadata);

    // SECURITY: These values are inserted as raw HTML. Only use from trusted config files.
    let bodyheader = config.bodyheader.as_deref().unwrap_or("");
    if bodyheader.to_ascii_lowercase().contains("<script") {
        log::warn!("bodyheader contains <script> — ensure this is intentional");
    }
    set_cookie(&mut cookies, "BODYHEADER", bodyheader);

    let bodyheaderend = config.bodyheaderend.as_deref().unwrap_or("");
    if bodyheaderend.to_ascii_lowercase().contains("<script") {
        log::warn!("bodyheaderend contains <script> — ensure this is intentional");
    }
    set_cookie(&mut cookies, "BODYHEADEREND", bodyheaderend);

    set_cookie(&mut cookies, "NAVIGATION", "");

    // SECURITY: These values are inserted as raw HTML. Only use from trusted config files.
    let bodyfooter = config.bodyfooter.as_deref().unwrap_or("");
    if bodyfooter.to_ascii_lowercase().contains("<script") {
        log::warn!("bodyfooter contains <script> — ensure this is intentional");
    }
    set_cookie(&mut cookies, "BODYFOOTER", bodyfooter);

    // Generator credit (suppressible via showgenerator = Off or --no-generator)
    let generator = if config.showgenerator {
        "<p class=\"hm-generator\">Generated by <a href=\"https://hypermail-rs.github.io\">hypermail-rs</a></p>"
    } else {
        ""
    };
    set_cookie(&mut cookies, "GENERATOR", generator);

    // Set HTML lang attribute from configured language (defaults to "en")
    let lang = if config.language.is_empty() {
        "en"
    } else {
        &config.language
    };
    set_cookie(&mut cookies, "LANG", lang);

    let htmlattrs = match config.theme.as_deref() {
        Some("light") => "data-theme=\"light\"",
        Some("dark") => "data-theme=\"dark\"",
        _ => "",
    };
    set_cookie(&mut cookies, "HTMLATTRS", htmlattrs);

    cookies
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_basic_substitution() {
        let mut cookies = CookieMap::new();
        set_cookie(&mut cookies, "TITLE", "Test Title");
        let result = substitute_cookies("<h1>%TITLE%</h1>", &cookies);
        assert_eq!(result, "<h1>Test Title</h1>");
    }

    #[test]
    fn test_multiple_cookies() {
        let mut cookies = CookieMap::new();
        set_cookie(&mut cookies, "TITLE", "My List");
        set_cookie(&mut cookies, "NAV", "Home");
        let result = substitute_cookies("%NAV% - %TITLE%", &cookies);
        assert_eq!(result, "Home - My List");
    }

    #[test]
    fn test_unknown_cookie() {
        let cookies = CookieMap::new();
        let result = substitute_cookies("%UNKNOWN%", &cookies);
        assert_eq!(result, "%UNKNOWN%");
    }

    #[test]
    fn test_unset_cookie() {
        let mut cookies = CookieMap::new();
        set_cookie(&mut cookies, "TITLE", "test");
        unset_cookie(&mut cookies, "TITLE");
        assert!(!cookies.contains_key("TITLE"));
    }

    #[test]
    fn test_header_cookies() {
        let config = crate::config::Config::default();
        let cookies = get_header_cookies(&config, "Test Archive");
        assert_eq!(cookies.get("TITLE").unwrap(), "Test Archive");
    }

    #[test]
    fn test_description_meta_escaped() {
        let mut config = crate::config::Config::default();
        config.description = Some("<script>alert('xss')</script>".to_string());
        let cookies = get_header_cookies(&config, "Test");
        let meta = cookies.get("METADATA").unwrap();
        assert!(meta.contains("&lt;script&gt;"));
        assert!(!meta.contains("<script>"));
    }

    #[test]
    fn test_description_meta_safe() {
        let mut config = crate::config::Config::default();
        config.description = Some("Hello & welcome".to_string());
        let cookies = get_header_cookies(&config, "Test");
        let meta = cookies.get("METADATA").unwrap();
        assert!(meta.contains("Hello &amp; welcome"));
    }

    #[test]
    fn test_no_description_no_meta() {
        let config = crate::config::Config::default();
        let cookies = get_header_cookies(&config, "Test");
        let meta = cookies.get("METADATA").unwrap();
        assert!(meta.is_empty());
    }
}