From d315e72412359adf9948e0a35a0c6f3064711d52 Mon Sep 17 00:00:00 2001
From: Jan Range <30547301+JR-1991@users.noreply.github.com>
Date: Mon, 7 Aug 2023 18:05:10 +0200
Subject: [PATCH 1/6] Added insecure HTML previewer

---
 5.2curlcommands.md                            | 25 ++++++++++++
 .../PotentiallyDangerousHtmlPreview.html      | 39 +++++++++++++++++++
 previewers/betatest/js/insecurehtml.js        | 37 ++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 previewers/betatest/PotentiallyDangerousHtmlPreview.html
 create mode 100644 previewers/betatest/js/insecurehtml.js

diff --git a/5.2curlcommands.md b/5.2curlcommands.md
index 6a83347..ee18a44 100644
--- a/5.2curlcommands.md
+++ b/5.2curlcommands.md
@@ -50,6 +50,31 @@ curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin
 }'
 ```
 
+> The following HTML previewer allows users, after consent, to display HTML files that contain scripts for plotting etc. Please note, that this should not to be confused with the default HTML previewer. If you do NOT wish to add this previewer, please make sure to use the one above.
+
+```bash
+curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin/externalTools -d \
+'{
+  "displayName":"View Insecure Html",
+  "description":"View the html file and run potentially malicious JavaScript. Useful for interactive HTML files that use e.g. Plotly",
+  "toolName":"insecureHtmlPreviewer",
+  "scope":"file",
+  "types":["preview"],
+  "toolUrl":"https://gdcc.github.io/dataverse-previewers/previewers/betatest/PotentiallyDangerousHtmlPreview.html",
+  "toolParameters": {
+      "queryParameters":[
+        {"fileid":"{fileId}"},
+        {"siteUrl":"{siteUrl}"},
+        {"key":"{apiToken}"},
+        {"datasetid":"{datasetId}"},
+        {"datasetversion":"{datasetVersion}"},
+        {"locale":"{localeCode}"}
+      ]
+    },
+  "contentType":"text/html"
+}'
+```
+
 ```bash
 curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin/externalTools -d \
 '{
diff --git a/previewers/betatest/PotentiallyDangerousHtmlPreview.html b/previewers/betatest/PotentiallyDangerousHtmlPreview.html
new file mode 100644
index 0000000..d320b4e
--- /dev/null
+++ b/previewers/betatest/PotentiallyDangerousHtmlPreview.html
@@ -0,0 +1,39 @@
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title class="htmlPreviewText">Html Preview</title>
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
+    <script type="text/javascript" src="js/xss.js"></script>
+    <script type="text/javascript" src="js/insecurehtml.js"></script>
+    <script src="lib/jquery.i18n.js"></script>
+    <script src="lib/jquery.i18n.messagestore.js"></script>
+    <script src="lib/jquery.i18n.language.js"></script>
+    <script type="text/javascript" src="js/retriever.js"></script>
+    <!-- Latest compiled and minified CSS -->
+    <link
+      rel="stylesheet"
+      href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css"
+      integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu"
+      crossorigin="anonymous"
+    />
+    <!-- Optional theme -->
+    <link
+      rel="stylesheet"
+      href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap-theme.min.css"
+      integrity="sha384-6pzBo3FDv/PJ8r2KRkGHifhEocL+1X2rVCTTkUfGk7/0pbek5mMa1upzvWbrUbOZ"
+      crossorigin="anonymous"
+    />
+    <link type="text/css" rel="stylesheet" href="css/preview.css" />
+  </head>
+
+  <body class="container">
+    <main>
+      <img id="logo" alt="Site Logo" />
+      <h1 class="page-title htmlPreviewText">Insecure Html Preview</h1>
+      <div class="preview-container">
+        <div class="preview-header"></div>
+        <div class="preview"></div>
+      </div>
+    </main>
+  </body>
+</html>
diff --git a/previewers/betatest/js/insecurehtml.js b/previewers/betatest/js/insecurehtml.js
new file mode 100644
index 0000000..983ebae
--- /dev/null
+++ b/previewers/betatest/js/insecurehtml.js
@@ -0,0 +1,37 @@
+$(document).ready(function () {
+
+    const MESSAGE = "🚨 ATTENTION 🚨\n\nThis data file includes JavaScript which may need to run for the data to display properly.\n\nYou can click the OK to allow the JavaScript to run, but be sure you trust this datafile as a malicious JavaScript could harm your computer (with the same concerns as if you went to a malicious website outside of Dataverse).\n\nIf you wish to not run the complete page, click Abort to be redirected to Dataverse."
+
+    userConfirms = confirm(MESSAGE)
+
+    if (userConfirms) {
+        // Preview the HTML file
+        startPreview(true);
+    } else {
+        // Redirect back to the dataset
+        queryParams = new URLSearchParams(window.location.search.substring(1));
+        let siteURL = queryParams.get("siteUrl")
+        let datasetId = queryParams.get("datasetid")
+
+        if (siteURL.endsWith("/")) {
+            siteURL = siteURL.substring(0, siteURL.length - 1)
+        }
+
+        let redirectUrl = siteURL + "/dataset.xhtml?id=" + datasetId
+        window.location.replace(redirectUrl);
+    }
+});
+
+function translateBaseHtmlPage() {
+    var htmlPreviewText = $.i18n("htmlPreviewText");
+    $('.htmlPreviewText').text(htmlPreviewText);
+}
+
+function writeContentAndData(data, fileUrl, file, title, authors) {
+    addStandardPreviewHeader(file, title, authors);
+    options = {
+        "stripIgnoreTag": true,
+    };  // Custom rules
+
+    $('.preview').append($("<div/>").html(data));
+}

From 0df703ba51ca9cf97ac4aba7058a939388d78dd9 Mon Sep 17 00:00:00 2001
From: Jan Range <30547301+JR-1991@users.noreply.github.com>
Date: Mon, 7 Aug 2023 18:45:32 +0200
Subject: [PATCH 2/6] Added file page redirect

---
 previewers/betatest/js/insecurehtml.js | 45 ++++++++++++++++++++------
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/previewers/betatest/js/insecurehtml.js b/previewers/betatest/js/insecurehtml.js
index 983ebae..334d7cd 100644
--- a/previewers/betatest/js/insecurehtml.js
+++ b/previewers/betatest/js/insecurehtml.js
@@ -8,20 +8,47 @@ $(document).ready(function () {
         // Preview the HTML file
         startPreview(true);
     } else {
-        // Redirect back to the dataset
+        // Redirect to the file page
         queryParams = new URLSearchParams(window.location.search.substring(1));
-        let siteURL = queryParams.get("siteUrl")
-        let datasetId = queryParams.get("datasetid")
+        var siteUrl = queryParams.get("siteUrl");
+        var fileID = queryParams.get("fileid");
+        var versionUrl = siteUrl + "/api/datasets/"
+            + queryParams.get("datasetid") + "/versions/"
+            + queryParams.get("datasetversion");
 
-        if (siteURL.endsWith("/")) {
-            siteURL = siteURL.substring(0, siteURL.length - 1)
-        }
-
-        let redirectUrl = siteURL + "/dataset.xhtml?id=" + datasetId
-        window.location.replace(redirectUrl);
+        fetchMetaAndRedirect(versionUrl, fileID, siteUrl);
     }
 });
 
+function fetchMetaAndRedirect(versionURL, fileID, siteUrl) {
+    $.ajax({
+        type: 'GET',
+        dataType: "json",
+        crosssite: true,
+        url: versionURL,
+        success: function (data, status) {
+            console.log(data);
+            redirectToFilePage(data, siteUrl, fileID);
+        },
+        error: function (request, status, error) {
+            alert("Could not find persistent ID for file. Redirecting to the Dataverse page.")
+            window.location.replace(siteUrl);
+        }
+    });
+}
+
+function redirectToFilePage(data, siteUrl, fileID) {
+    // Search for the file ID in the JSON
+    const files = data.data.files
+    const persistentFile = files.find(file => file.dataFile.id == fileID)
+    const persistentFileId = persistentFile.dataFile.persistentId
+    const fileVersion = persistentFile.version
+
+    // Redirect to the file page
+    const fileUrl = siteUrl + "/file.xhtml?persistentId=" + persistentFileId + "&version=" + fileVersion
+    window.location.replace(fileUrl);
+}
+
 function translateBaseHtmlPage() {
     var htmlPreviewText = $.i18n("htmlPreviewText");
     $('.htmlPreviewText').text(htmlPreviewText);

From e82c6480a5e860a149e3f8c8103ddb419e2fc219 Mon Sep 17 00:00:00 2001
From: Jan Range <30547301+JR-1991@users.noreply.github.com>
Date: Mon, 7 Aug 2023 18:48:33 +0200
Subject: [PATCH 3/6] Removed "Attention" to display complete message

---
 previewers/betatest/js/insecurehtml.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/previewers/betatest/js/insecurehtml.js b/previewers/betatest/js/insecurehtml.js
index 334d7cd..57668f5 100644
--- a/previewers/betatest/js/insecurehtml.js
+++ b/previewers/betatest/js/insecurehtml.js
@@ -1,6 +1,6 @@
 $(document).ready(function () {
 
-    const MESSAGE = "🚨 ATTENTION 🚨\n\nThis data file includes JavaScript which may need to run for the data to display properly.\n\nYou can click the OK to allow the JavaScript to run, but be sure you trust this datafile as a malicious JavaScript could harm your computer (with the same concerns as if you went to a malicious website outside of Dataverse).\n\nIf you wish to not run the complete page, click Abort to be redirected to Dataverse."
+    const MESSAGE = "This data file includes JavaScript which may need to run for the data to display properly.\n\nYou can click the OK to allow the JavaScript to run, but be sure you trust this datafile as a malicious JavaScript could harm your computer (with the same concerns as if you went to a malicious website outside of Dataverse).\n\nIf you wish to not run the complete page, click Abort to be redirected to Dataverse."
 
     userConfirms = confirm(MESSAGE)
 

From eac661929b7126c244149d4b27db7f820df83510 Mon Sep 17 00:00:00 2001
From: Jan Range <30547301+JR-1991@users.noreply.github.com>
Date: Tue, 8 Aug 2023 08:57:37 +0200
Subject: [PATCH 4/6] Added i18n mechanism and renamed files

---
 ...tentiallyDangerousHtmlPreview.html => RichHtmlPreview.html} | 2 +-
 previewers/betatest/js/{insecurehtml.js => richhtml.js}        | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)
 rename previewers/betatest/{PotentiallyDangerousHtmlPreview.html => RichHtmlPreview.html} (95%)
 rename previewers/betatest/js/{insecurehtml.js => richhtml.js} (82%)

diff --git a/previewers/betatest/PotentiallyDangerousHtmlPreview.html b/previewers/betatest/RichHtmlPreview.html
similarity index 95%
rename from previewers/betatest/PotentiallyDangerousHtmlPreview.html
rename to previewers/betatest/RichHtmlPreview.html
index d320b4e..c9748ad 100644
--- a/previewers/betatest/PotentiallyDangerousHtmlPreview.html
+++ b/previewers/betatest/RichHtmlPreview.html
@@ -4,7 +4,7 @@
     <title class="htmlPreviewText">Html Preview</title>
     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
     <script type="text/javascript" src="js/xss.js"></script>
-    <script type="text/javascript" src="js/insecurehtml.js"></script>
+    <script type="text/javascript" src="js/richhtml.js"></script>
     <script src="lib/jquery.i18n.js"></script>
     <script src="lib/jquery.i18n.messagestore.js"></script>
     <script src="lib/jquery.i18n.language.js"></script>
diff --git a/previewers/betatest/js/insecurehtml.js b/previewers/betatest/js/richhtml.js
similarity index 82%
rename from previewers/betatest/js/insecurehtml.js
rename to previewers/betatest/js/richhtml.js
index 57668f5..f4d164d 100644
--- a/previewers/betatest/js/insecurehtml.js
+++ b/previewers/betatest/js/richhtml.js
@@ -1,7 +1,6 @@
 $(document).ready(function () {
 
-    const MESSAGE = "This data file includes JavaScript which may need to run for the data to display properly.\n\nYou can click the OK to allow the JavaScript to run, but be sure you trust this datafile as a malicious JavaScript could harm your computer (with the same concerns as if you went to a malicious website outside of Dataverse).\n\nIf you wish to not run the complete page, click Abort to be redirected to Dataverse."
-
+    const MESSAGE = $.i18n("richHtmlPreviewText")
     userConfirms = confirm(MESSAGE)
 
     if (userConfirms) {

From 577a4243160afcdfb3fd811072f9ed48c2a40cc7 Mon Sep 17 00:00:00 2001
From: Jan Range <30547301+JR-1991@users.noreply.github.com>
Date: Tue, 8 Aug 2023 08:57:45 +0200
Subject: [PATCH 5/6] Added i18n text

---
 previewers/betatest/i18n/en.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/previewers/betatest/i18n/en.json b/previewers/betatest/i18n/en.json
index 6656113..8bd1ae3 100644
--- a/previewers/betatest/i18n/en.json
+++ b/previewers/betatest/i18n/en.json
@@ -8,6 +8,7 @@
 	"audioPreviewText": "Audio Preview",
 	"csvPreviewText": "Csv Preview",
 	"htmlPreviewText": "Html Preview",
+	"richHtmlPreviewText": "This data file includes JavaScript which may need to run for the data to display properly.\n\nYou can click the OK to allow the JavaScript to run, but be sure you trust this datafile as a malicious JavaScript could harm your computer (with the same concerns as if you went to a malicious website outside of Dataverse).\n\nIf you wish to not run the complete page, click Abort to be redirected to Dataverse.",
 	"annotationsText": "Annotations",
 	"imagePreviewText": "Image Preview",
 	"mapPreviewText": "Map Preview",

From 880a79f1cdf2e3cbe42d8041d43283fc6ce4cc0d Mon Sep 17 00:00:00 2001
From: Jan Range <30547301+JR-1991@users.noreply.github.com>
Date: Tue, 8 Aug 2023 08:57:54 +0200
Subject: [PATCH 6/6] Changed naming to RichtHtml

---
 5.2curlcommands.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/5.2curlcommands.md b/5.2curlcommands.md
index ee18a44..405e17a 100644
--- a/5.2curlcommands.md
+++ b/5.2curlcommands.md
@@ -50,17 +50,17 @@ curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin
 }'
 ```
 
-> The following HTML previewer allows users, after consent, to display HTML files that contain scripts for plotting etc. Please note, that this should not to be confused with the default HTML previewer. If you do NOT wish to add this previewer, please make sure to use the one above.
+> Rich HTML Previewer - Potential Issues if used with malicious content
 
 ```bash
 curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin/externalTools -d \
 '{
-  "displayName":"View Insecure Html",
+  "displayName":"Rich HTML Previewer",
   "description":"View the html file and run potentially malicious JavaScript. Useful for interactive HTML files that use e.g. Plotly",
-  "toolName":"insecureHtmlPreviewer",
+  "toolName":"richHtmlPreviewer",
   "scope":"file",
   "types":["preview"],
-  "toolUrl":"https://gdcc.github.io/dataverse-previewers/previewers/betatest/PotentiallyDangerousHtmlPreview.html",
+  "toolUrl":"https://gdcc.github.io/dataverse-previewers/previewers/betatest/RichHtmlPreview.html",
   "toolParameters": {
       "queryParameters":[
         {"fileid":"{fileId}"},