feat: [[embed]]ブロックを実装

Wikidot形式の[[embed]]..[[/embed]]ブロックをサポート。

- embed-block要素をASTに追加（paragraph-safe）
- パーサーにembed-blockルールを追加
- レンダラーで許可リストによるXSS対策を実装
- RenderOptions.embedAllowlistでカスタム許可リストを設定可能
- DEFAULT_EMBED_ALLOWLISTをエクスポート

Author: r74tech

packages/ast/src/element.ts

@@ -425,6 +425,15 @@ export interface HtmlData {
   contents: string;
 }
 
+/**
+ * Embed block data (Wikidot style [[embed]]..[[/embed]])
+ * Contains raw HTML that is validated against an allowlist at render time.
+ * Unlike html element, embed-block is paragraph-safe.
+ */
+export interface EmbedBlockData {
+  contents: string;
+}
+
 export interface IframeData {
   url: string;
   attributes: AttributeMap;
@@ -505,6 +514,7 @@ export type ElementDataMap = {
   "math-inline": MathInlineData;
   "equation-reference": string;
   embed: Embed;
+  "embed-block": EmbedBlockData;
   html: HtmlData;
   iframe: IframeData;
   include: IncludeData;
@@ -784,6 +794,8 @@ export function isParagraphSafe(element: Element): boolean {
       return true;
     case "embed":
       return false;
+    case "embed-block":
+      return true;
     case "html":
     case "iframe":
       return false;

packages/parser/src/parser/rules/block/embed-block.ts

@@ -0,0 +1,121 @@
+import type { Element } from "@wdprlib/ast";
+import type { BlockRule, ParseContext, RuleResult } from "../types";
+import { currentToken } from "../types";
+import { parseBlockName } from "./utils";
+
+/**
+ * Embed block rule: [[embed]]..[[/embed]], [[embedvideo]]..[[/embedvideo]], [[embedaudio]]..[[/embedaudio]]
+ *
+ * Wikidotでは許可リストにマッチしたHTMLのみ出力されるが、
+ * このパーサーでは内容をそのままhtml要素として保持する。
+ * バリデーションはレンダリング時またはサーバー側で行う想定。
+ */
+export const embedBlockRule: BlockRule = {
+  name: "embed-block",
+  startTokens: ["BLOCK_OPEN"],
+  requiresLineStart: false,
+
+  parse(ctx: ParseContext): RuleResult<Element> {
+    const openToken = currentToken(ctx);
+    if (openToken.type !== "BLOCK_OPEN") {
+      return { success: false };
+    }
+
+    let pos = ctx.pos + 1;
+    let consumed = 1;
+
+    // Parse block name
+    const nameResult = parseBlockName(ctx, pos);
+    if (!nameResult) {
+      return { success: false };
+    }
+
+    const blockName = nameResult.name.toLowerCase();
+    if (blockName !== "embed" && blockName !== "embedvideo" && blockName !== "embedaudio") {
+      return { success: false };
+    }
+    pos += nameResult.consumed;
+    consumed += nameResult.consumed;
+
+    // Skip whitespace
+    while (ctx.tokens[pos]?.type === "WHITESPACE") {
+      pos++;
+      consumed++;
+    }
+
+    // Expect ]]
+    if (ctx.tokens[pos]?.type !== "BLOCK_CLOSE") {
+      return { success: false };
+    }
+    pos++;
+    consumed++;
+
+    // Collect content until [[/embed]], [[/embedvideo]], or [[/embedaudio]]
+    let contents = "";
+
+    while (pos < ctx.tokens.length) {
+      const token = ctx.tokens[pos];
+      if (!token) break;
+
+      // Check for closing [[/embed*]]
+      if (token.type === "BLOCK_END_OPEN") {
+        const closeNameResult = parseBlockName(ctx, pos + 1);
+        if (closeNameResult) {
+          const closeName = closeNameResult.name.toLowerCase();
+          if (closeName === "embed" || closeName === "embedvideo" || closeName === "embedaudio") {
+            break;
+          }
+        }
+      }
+
+      contents += token.value;
+      pos++;
+      consumed++;
+    }
+
+    // Consume [[/embed*]]
+    if (ctx.tokens[pos]?.type === "BLOCK_END_OPEN") {
+      pos++;
+      consumed++;
+      const closeNameResult = parseBlockName(ctx, pos);
+      if (closeNameResult) {
+        pos += closeNameResult.consumed;
+        consumed += closeNameResult.consumed;
+      }
+      if (ctx.tokens[pos]?.type === "BLOCK_CLOSE") {
+        pos++;
+        consumed++;
+      }
+      if (ctx.tokens[pos]?.type === "NEWLINE") {
+        pos++;
+        consumed++;
+      }
+    }
+
+    // Trim the contents
+    contents = contents.trim();
+
+    // Wikidotと同じく、embed-blockをparagraphで囲む
+    return {
+      success: true,
+      elements: [
+        {
+          element: "container",
+          data: {
+            type: "paragraph",
+            attributes: {},
+            elements: [
+              {
+                element: "embed-block",
+                data: {
+                  contents,
+                },
+              },
+            ],
+          },
+        },
+      ],
+      consumed,
+    };
+  },
+};

packages/parser/src/parser/rules/block/index.ts

@@ -22,6 +22,7 @@ import { tabviewRule } from "./tabview";
 import { includeRule } from "./include";
 import { mathBlockRule } from "./math";
 import { htmlBlockRule } from "./html";
+import { embedBlockRule } from "./embed-block";
 import { iframeRule } from "./iframe";
 import { iftagsRule } from "./iftags";
 import { tocRule } from "./toc";
@@ -49,6 +50,7 @@ export { tabviewRule } from "./tabview";
 export { includeRule } from "./include";
 export { mathBlockRule } from "./math";
 export { htmlBlockRule } from "./html";
+export { embedBlockRule } from "./embed-block";
 export { iframeRule } from "./iframe";
 export { iftagsRule } from "./iftags";
 export { tocRule } from "./toc";
@@ -80,6 +82,7 @@ export const blockRules: BlockRule[] = [
   includeRule,
   mathBlockRule,
   htmlBlockRule,
+  embedBlockRule,
   iframeRule,
   iftagsRule,
   divRule,

packages/render/src/elements/embed-block.ts

@@ -0,0 +1,126 @@
+import type { EmbedBlockData } from "@wdprlib/ast";
+import type { RenderContext } from "../context";
+
+/**
+ * Boolean attributes that should be normalized to attr="attr" format
+ * (Wikidot normalizes these attributes in its output)
+ */
+const BOOLEAN_ATTRIBUTES = [
+  "allowfullscreen",
+  "async",
+  "autofocus",
+  "autoplay",
+  "checked",
+  "controls",
+  "default",
+  "defer",
+  "disabled",
+  "formnovalidate",
+  "hidden",
+  "ismap",
+  "loop",
+  "multiple",
+  "muted",
+  "novalidate",
+  "open",
+  "readonly",
+  "required",
+  "reversed",
+  "selected",
+];
+
+/**
+ * Default allowlist patterns for embed content (ported from Wikidot's default.php)
+ * Only content matching these patterns will be rendered.
+ */
+export const DEFAULT_EMBED_ALLOWLIST: RegExp[] = [
+  // Any iframe with standard attributes (Wikidot's 'anyiframe' pattern)
+  /^<iframe(\s+[a-z0-9_]+\s*=\s*"[^"]*")+>\s*<\/iframe>$/is,
+
+  // YouTube embed
+  /^<iframe[^>]*\s+src="https?:\/\/(www\.)?youtube\.com\/embed\/[a-zA-Z0-9_-]+"[^>]*>\s*<\/iframe>$/is,
+  /^<iframe[^>]*\s+src="https?:\/\/(www\.)?youtube-nocookie\.com\/embed\/[a-zA-Z0-9_-]+"[^>]*>\s*<\/iframe>$/is,
+
+  // Vimeo embed
+  /^<iframe[^>]*\s+src="https?:\/\/player\.vimeo\.com\/video\/[0-9]+"[^>]*>\s*<\/iframe>$/is,
+
+  // Google Maps
+  /^<iframe[^>]*\s+src="https?:\/\/www\.google\.com\/maps\/embed[^"]*"[^>]*>\s*<\/iframe>$/is,
+
+  // Google Calendar
+  /^<iframe[^>]*\s+src="https?:\/\/calendar\.google\.com\/calendar\/embed[^"]*"[^>]*>\s*<\/iframe>$/is,
+
+  // Spotify
+  /^<iframe[^>]*\s+src="https?:\/\/open\.spotify\.com\/embed\/[^"]*"[^>]*>\s*<\/iframe>$/is,
+
+  // SoundCloud
+  /^<iframe[^>]*\s+src="https?:\/\/w\.soundcloud\.com\/player\/[^"]*"[^>]*>\s*<\/iframe>$/is,
+
+  // Twitter/X embed
+  /^<blockquote[^>]*class="twitter-tweet"[^>]*>[\s\S]*<\/blockquote>\s*<script[^>]*src="https?:\/\/platform\.twitter\.com\/widgets\.js"[^>]*>\s*<\/script>$/is,
+
+  // CodePen
+  /^<iframe[^>]*\s+src="https?:\/\/codepen\.io\/[^"]*"[^>]*>\s*<\/iframe>$/is,
+];
+
+/**
+ * Check if JS event handlers are present in the content (XSS prevention)
+ */
+function hasJsEventHandlers(content: string): boolean {
+  // Match on* event handlers (onclick, onerror, onload, etc.)
+  return /<[^>]*\s+on[a-z]+\s*=/i.test(content);
+}
+
+/**
+ * Validate embed content against allowlist
+ */
+function isAllowedEmbed(content: string, allowlist: RegExp[]): boolean {
+  const trimmed = content.trim();
+
+  // Check for JS event handlers
+  if (hasJsEventHandlers(trimmed)) {
+    return false;
+  }
+
+  // Check against allowlist patterns
+  for (const pattern of allowlist) {
+    if (pattern.test(trimmed)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Normalize boolean attributes to Wikidot format (attr -> attr="attr")
+ */
+function normalizeBooleanAttributes(html: string): string {
+  let result = html;
+  for (const attr of BOOLEAN_ATTRIBUTES) {
+    // Match standalone boolean attribute (not already having a value)
+    // Pattern: attr followed by whitespace, > or />
+    const pattern = new RegExp(`\\s${attr}(?=\\s|>|/>)`, "gi");
+    result = result.replace(pattern, ` ${attr}="${attr}"`);
+  }
+  return result;
+}
+
+/**
+ * Render embed-block element (Wikidot style [[embed]]..[[/embed]])
+ *
+ * Content is validated against an allowlist to prevent XSS.
+ * Only matching content is rendered; otherwise an error message is shown.
+ */
+export function renderEmbedBlock(ctx: RenderContext, data: EmbedBlockData): void {
+  const allowlist = ctx.options.embedAllowlist ?? DEFAULT_EMBED_ALLOWLIST;
+
+  if (!isAllowedEmbed(data.contents, allowlist)) {
+    ctx.push('<div class="error-block">Sorry, no match for the embedded content.</div>');
+    return;
+  }
+
+  // Normalize boolean attributes and output
+  const normalized = normalizeBooleanAttributes(data.contents);
+  ctx.push(normalized);
+}

packages/render/src/index.ts

@@ -1,2 +1,3 @@
 export { renderToHtml } from "./render";
 export type { RenderOptions, RenderResolvers, PageContext, ResolvedUser } from "./types";
+export { DEFAULT_EMBED_ALLOWLIST } from "./elements/embed-block";

packages/render/src/render.ts

@@ -15,6 +15,7 @@ import { renderFootnoteRef, renderFootnoteBlock } from "./elements/footnote";
 import { renderMath, renderMathInline, renderEquationRef } from "./elements/math";
 import { renderModule } from "./elements/module/index";
 import { renderEmbed } from "./elements/embed";
+import { renderEmbedBlock } from "./elements/embed-block";
 import { renderUser } from "./elements/user";
 import { renderBibliographyCite, renderBibliographyBlock } from "./elements/bibliography";
 import { renderTableOfContents } from "./elements/toc";
@@ -134,6 +135,9 @@ export function renderElement(ctx: RenderContext, element: Element): void {
     case "embed":
       renderEmbed(ctx, element.data);
       break;
+    case "embed-block":
+      renderEmbedBlock(ctx, element.data);
+      break;
     case "user":
       renderUser(ctx, element.data);
       break;

packages/render/src/types.ts

@@ -68,4 +68,11 @@ export interface RenderOptions {
    * - Allow scripts: htmlBlockSandbox: "allow-scripts allow-same-origin"
    */
   htmlBlockSandbox?: string | null;
+  /**
+   * Allowlist patterns for [[embed]] content.
+   * Only content matching at least one pattern will be rendered.
+   * If not provided, uses default allowlist (YouTube, Vimeo, etc.).
+   * Set to empty array to block all embeds.
+   */
+  embedAllowlist?: RegExp[];
 }

tests/fixtures/embed/basic/expected.json

@@ -0,0 +1,26 @@
+{
+  "elements": [
+    {
+      "element": "container",
+      "data": {
+        "type": "paragraph",
+        "attributes": {},
+        "elements": [
+          {
+            "element": "embed-block",
+            "data": {
+              "contents": "<iframe width=\"1208\" height=\"680\" src=\"https://www.youtube.com/embed/dQw4w9WgXcQ\" title=\"Rick Astley - Never Gonna Give You Up (Official Video) (4K Remaster)\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen></iframe>"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "element": "footnote-block",
+      "data": {
+        "title": null,
+        "hide": false
+      }
+    }
+  ]
+}

tests/fixtures/embed/basic/input.ftml

@@ -0,0 +1,3 @@
+[[embed]]
+<iframe width="1208" height="680" src="https://www.youtube.com/embed/dQw4w9WgXcQ" title="Rick Astley - Never Gonna Give You Up (Official Video) (4K Remaster)" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
+[[/embed]]

tests/fixtures/embed/basic/output.html

@@ -0,0 +1 @@
+<p><iframe width="1208" height="680" src="https://www.youtube.com/embed/dQw4w9WgXcQ" title="Rick Astley - Never Gonna Give You Up (Official Video) (4K Remaster)" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="allowfullscreen"></iframe></p>