Add mfa reset button for admin s on user profile edit

Closes #6049

.env.example.complete

@@ -351,10 +351,25 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow <script> tags in page content
+# Allow JavaScript, and other potentiall dangerous content in page content.
+# This also removes CSP-level JavaScript control.
 # Note, if set to 'true' the page editor may still escape scripts.
+# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
+# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
+# Control the behaviour of content filtering, primarily used for page content.
+# This setting is a string of characters which represent different available filters:
+# - j - Filter out JavaScript and unknown binary data based content
+# - h - Filter out unexpected, and potentially dangerous, HTML elements
+# - f - Filter out unexpected form elements
+# - a - Run content through a more complex allowlist filter
+# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
+# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
+# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
+# to ensure you are always using the full range of filters.
+APP_CONTENT_FILTERING="jfha"
+
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.

app/Access/Oidc/OidcService.php

@@ -49,6 +49,11 @@ class OidcService
         $url = $provider->getAuthorizationUrl();
         session()->put('oidc_pkce_code', $provider->getPkceCode() ?? '');
 
+        $returnUrl = Theme::dispatch(ThemeEvents::OIDC_AUTH_PRE_REDIRECT, $url);
+        if (is_string($returnUrl)) {
+            $url = $returnUrl;
+        }
+
         return [
             'url'   => $url,
             'state' => $provider->getState(),

app/Activity/Models/Comment.php

@@ -8,6 +8,7 @@ use BookStack\Permissions\PermissionApplicator;
 use BookStack\Users\Models\HasCreatorAndUpdater;
 use BookStack\Users\Models\OwnableInterface;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
@@ -82,7 +83,8 @@ class Comment extends Model implements Loggable, OwnableInterface
 
     public function safeHtml(): string
     {
-        return HtmlContentFilter::removeActiveContentFromHtmlString($this->html ?? '');
+        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
+        return $filter->filterString($this->html ?? '');
     }
 
     public function jointPermissions(): HasMany

app/App/Providers/AppServiceProvider.php

@@ -65,6 +65,13 @@ class AppServiceProvider extends ServiceProvider
             URL::forceScheme($isHttps ? 'https' : 'http');
         }
 
+        // Set SMTP mail driver to use a local domain matching the app domain,
+        // which helps avoid defaulting to a 127.0.0.1 domain
+        if ($appUrl) {
+            $hostName = parse_url($appUrl, PHP_URL_HOST) ?: null;
+            config()->set('mail.mailers.smtp.local_domain', $hostName);
+        }
+
         // Allow longer string lengths after upgrade to utf8mb4
         Schema::defaultStringLength(191);
 

app/App/Providers/ThemeServiceProvider.php

@@ -4,6 +4,8 @@ namespace BookStack\App\Providers;
 
 use BookStack\Theming\ThemeEvents;
 use BookStack\Theming\ThemeService;
+use BookStack\Theming\ThemeViews;
+use Illuminate\Support\Facades\Blade;
 use Illuminate\Support\ServiceProvider;
 
 class ThemeServiceProvider extends ServiceProvider
@@ -24,7 +26,26 @@ class ThemeServiceProvider extends ServiceProvider
     {
         // Boot up the theme system
         $themeService = $this->app->make(ThemeService::class);
+        $viewFactory = $this->app->make('view');
+        $themeViews = new ThemeViews($viewFactory->getFinder());
+
+        // Use a custom include so that we can insert theme views before/after includes.
+        // This is done, even if no theme is active, so that view caching does not create problems
+        // when switching between themes or when switching a theme on/off.
+        $viewFactory->share('__themeViews', $themeViews);
+        Blade::directive('include', function ($expression) {
+            return "<?php echo \$__themeViews->handleViewInclude({$expression}, array_diff_key(get_defined_vars(), ['__data' => 1, '__path' => 1])); ?>";
+        });
+
+        if (!$themeService->getTheme()) {
+            return;
+        }
+
+        $themeService->loadModules();
         $themeService->readThemeActions();
         $themeService->dispatch(ThemeEvents::APP_BOOT, $this->app);
+
+        $themeViews->registerViewPathsForTheme($themeService->getModules());
+        $themeService->dispatch(ThemeEvents::THEME_REGISTER_VIEWS, $themeViews);
     }
 }

app/App/helpers.php

@@ -81,8 +81,7 @@ function setting(?string $key = null, mixed $default = null): mixed
 
 /**
  * Get a path to a theme resource.
- * Returns null if a theme is not configured and
- * therefore a full path is not available for use.
+ * Returns null if a theme is not configured, and therefore a full path is not available for use.
  */
 function theme_path(string $path = ''): ?string
 {

app/Config/app.php

@@ -37,10 +37,15 @@ return [
     // The limit for all uploaded files, including images and attachments in MB.
     'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
 
-    // Allow <script> tags to entered within page content.
-    // <script> tags are escaped by default.
-    // Even when overridden the WYSIWYG editor may still escape script content.
-    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
+    // Control the behaviour of content filtering, primarily used for page content.
+    // This setting is a string of characters which represent different available filters:
+    // - j - Filter out JavaScript and unknown binary data based content
+    // - h - Filter out unexpected, and potentially dangerous, HTML elements
+    // - f - Filter out unexpected form elements
+    // - a - Run content through a more complex allowlist filter
+    // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
+    // Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
+    'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
 
     // Allow server-side fetches to be performed to potentially unknown
     // and user-provided locations. Primarily used in exports when loading
@@ -48,8 +53,8 @@ return [
     'allow_untrusted_server_fetching' => env('ALLOW_UNTRUSTED_SERVER_FETCHING', false),
 
     // Override the default behaviour for allowing crawlers to crawl the instance.
-    // May be ignored if view has be overridden or modified.
-    // Defaults to null since, if not set, 'app-public' status used instead.
+    // May be ignored if the underlying view has been overridden or modified.
+    // Defaults to null in which case the 'app-public' status is used instead.
     'allow_robots' => env('ALLOW_ROBOTS', null),
 
     // Application Base URL, Used by laravel in development commands

app/Config/view.php

@@ -8,12 +8,6 @@
  * Do not edit this file unless you're happy to maintain any changes yourself.
  */
 
-// Join up possible view locations
-$viewPaths = [realpath(base_path('resources/views'))];
-if ($theme = env('APP_THEME', false)) {
-    array_unshift($viewPaths, base_path('themes/' . $theme));
-}
-
 return [
 
     // App theme
@@ -26,7 +20,7 @@ return [
     // Most templating systems load templates from disk. Here you may specify
     // an array of paths that should be checked for your views. Of course
     // the usual Laravel view path has already been registered for you.
-    'paths' => $viewPaths,
+    'paths' => [realpath(base_path('resources/views'))],
 
     // Compiled View Path
     // This option determines where all the compiled Blade templates will be

app/Console/Commands/InstallModuleCommand.php

@@ -0,0 +1,312 @@
+<?php
+
+namespace BookStack\Console\Commands;
+
+use BookStack\Http\HttpRequestService;
+use BookStack\Theming\ThemeModule;
+use BookStack\Theming\ThemeModuleException;
+use BookStack\Theming\ThemeModuleManager;
+use BookStack\Theming\ThemeModuleZip;
+use GuzzleHttp\Psr7\Request;
+use Illuminate\Console\Command;
+use Illuminate\Support\Str;
+
+class InstallModuleCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'bookstack:install-module
+                            {location : The URL or path of the module file}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Install a module to the currently configured theme';
+
+    protected array $cleanupActions = [];
+
+    /**
+     * Execute the console command.
+     */
+    public function handle(): int
+    {
+        $location = $this->argument('location');
+
+        // Get the ZIP file containing the module files
+        $zipPath = $this->getPathToZip($location);
+        if (!$zipPath) {
+            $this->cleanup();
+            return 1;
+        }
+
+        // Validate module zip file (metadata, size, etc...) and get module instance
+        $zip = new ThemeModuleZip($zipPath);
+        $themeModule = $this->validateAndGetModuleInfoFromZip($zip);
+        if (!$themeModule) {
+            $this->cleanup();
+            return 1;
+        }
+
+        // Get the theme folder in use, attempting to create one if no active theme in use
+        $themeFolder = $this->getThemeFolder();
+        if (!$themeFolder) {
+            $this->cleanup();
+            return 1;
+        }
+
+        // Get the modules folder of the theme, attempting to create it if not existing,
+        // and create a new module manager instance.
+        $moduleFolder = $this->getModuleFolder($themeFolder);
+        if (!$moduleFolder) {
+            $this->cleanup();
+            return 1;
+        }
+
+        $manager = new ThemeModuleManager($moduleFolder);
+
+        // Handle existing modules with the same name
+        $exitingModulesWithName = $manager->getByName($themeModule->name);
+        $shouldContinue = $this->handleExistingModulesWithSameName($exitingModulesWithName, $manager);
+        if (!$shouldContinue) {
+            $this->cleanup();
+            return 1;
+        }
+
+        // Extract module ZIP into the theme modules folder
+        try {
+            $newModule = $manager->addFromZip($themeModule->name, $zip);
+        } catch (ThemeModuleException $exception) {
+            $this->error("ERROR: Failed to install module with error: {$exception->getMessage()}");
+            $this->cleanup();
+            return 1;
+        }
+
+        $this->info("Module \"{$newModule->name}\" ({$newModule->getVersion()}) successfully installed!");
+        $this->info("Install location: {$moduleFolder}/{$newModule->folderName}");
+        $this->cleanup();
+        return 0;
+    }
+
+    /**
+     * @param ThemeModule[] $existingModules
+     */
+    protected function handleExistingModulesWithSameName(array $existingModules, ThemeModuleManager $manager): bool
+    {
+        if (count($existingModules) === 0) {
+            return true;
+        }
+
+        $this->warn("The following modules already exist with the same name:");
+        foreach ($existingModules as $folder => $module) {
+            $this->line("{$module->name} ({$folder}:{$module->getVersion()}) - {$module->description}");
+        }
+        $this->line('');
+
+        $choices = ['Cancel module install', 'Add alongside existing module'];
+        if (count($existingModules) === 1) {
+            $choices[] = 'Replace existing module';
+        }
+        $choice = $this->choice("What would you like to do?", $choices, 0, null, false);
+        if ($choice === 'Cancel module install') {
+            return false;
+        }
+
+        if ($choice === 'Replace existing module') {
+            $existingModuleFolder = array_key_first($existingModules);
+            $this->info("Replacing existing module in {$existingModuleFolder} folder");
+            $manager->deleteModuleFolder($existingModuleFolder);
+        }
+
+        return true;
+    }
+
+    protected function getModuleFolder(string $themeFolder): string|null
+    {
+        $path = $themeFolder . DIRECTORY_SEPARATOR . 'modules';
+
+        if (file_exists($path) && !is_dir($path)) {
+            $this->error("ERROR: Cannot create a modules folder, file already exists at {$path}");
+            return null;
+        }
+
+        if (!file_exists($path)) {
+            $created = mkdir($path, 0755, true);
+            if (!$created) {
+                $this->error("ERROR: Failed to create a modules folder at {$path}");
+                return null;
+            }
+        }
+
+        return $path;
+    }
+
+    protected function getThemeFolder(): string|null
+    {
+        $path = theme_path('');
+        if (!$path || !is_dir($path)) {
+            $shouldCreate = $this->confirm('No active theme folder found, would you like to create one?');
+            if (!$shouldCreate) {
+                return null;
+            }
+
+            $folder = 'custom';
+            while (file_exists(base_path("themes" . DIRECTORY_SEPARATOR  . $folder))) {
+                $folder = 'custom-' . Str::random(4);
+            }
+
+            $path = base_path("themes/{$folder}");
+            $created = mkdir($path, 0755, true);
+            if (!$created) {
+                $this->error('Failed to create a theme folder to use. This may be a permissions issue. Try manually configuring an active theme');
+                return null;
+            }
+
+            $this->info("Created theme folder at {$path}");
+            $this->warn("You will need to set APP_THEME={$folder} in your BookStack env configuration to enable this theme!");
+        }
+
+        return $path;
+    }
+
+    protected function validateAndGetModuleInfoFromZip(ThemeModuleZip $zip): ThemeModule|null
+    {
+        if (!$zip->exists()) {
+            $this->error("ERROR: Cannot open ZIP file at {$zip->getPath()}");
+            return null;
+        }
+
+        if ($zip->getContentsSize() > (50 * 1024 * 1024)) {
+            $this->error("ERROR: Module ZIP file contents are too large. Maximum size is 50MB");
+            return null;
+        }
+
+        try {
+            $themeModule = $zip->getModuleInstance();
+        } catch (ThemeModuleException $exception) {
+            $this->error("ERROR: Failed to read module metadata with error: {$exception->getMessage()}");
+            return null;
+        }
+
+        return $themeModule;
+    }
+
+    protected function downloadModuleFile(string $location): string|null
+    {
+        $httpRequests = app()->make(HttpRequestService::class);
+        $client = $httpRequests->buildClient(30, ['stream' => true]);
+        $originalUrl = parse_url($location);
+        $currentLocation = $location;
+        $maxRedirects = 3;
+        $redirectCount = 0;
+
+        // Follow redirects up to 3 times for the same hostname
+        do {
+            $resp = $client->sendRequest(new Request('GET', $currentLocation));
+            $statusCode = $resp->getStatusCode();
+
+            if ($statusCode >= 300 && $statusCode < 400 && $redirectCount < $maxRedirects) {
+                $redirectLocation = $resp->getHeaderLine('Location');
+                if ($redirectLocation) {
+                    $redirectUrl = parse_url($redirectLocation);
+                    if (
+                        ($originalUrl['host'] ?? '') === ($redirectUrl['host'] ?? '')
+                        && ($originalUrl['scheme'] ?? '') === ($redirectUrl['scheme'] ?? '')
+                        && ($originalUrl['port'] ?? '') === ($redirectUrl['port'] ?? '')
+                    ) {
+                        $currentLocation = $redirectLocation;
+                        $redirectCount++;
+                        continue;
+                    }
+                }
+            }
+
+            break;
+        } while (true);
+
+        if ($resp->getStatusCode() >= 300) {
+            $this->error("ERROR: Failed to download module from {$location}");
+            $this->error("Download failed with status code {$resp->getStatusCode()}");
+            return null;
+        }
+
+        $tempFile = tempnam(sys_get_temp_dir(), 'bookstack_module_');
+        $fileHandle = fopen($tempFile, 'w');
+        $respBody = $resp->getBody();
+        $size = 0;
+        $maxSize = 50 * 1024 * 1024;
+
+        while (!$respBody->eof()) {
+            fwrite($fileHandle, $respBody->read(1024));
+            $size += 1024;
+            if ($size > $maxSize) {
+                fclose($fileHandle);
+                unlink($tempFile);
+                $this->error("ERROR: Module ZIP file is too large. Maximum size is 50MB");
+                return '';
+            }
+        }
+
+        fclose($fileHandle);
+
+        $this->cleanupActions[] = function () use ($tempFile) {
+            unlink($tempFile);
+        };
+
+        return $tempFile;
+    }
+
+    protected function getPathToZip(string $location): string|null
+    {
+        $lowerLocation = strtolower($location);
+        $isRemote = str_starts_with($lowerLocation, 'http://') || str_starts_with($lowerLocation, 'https://');
+
+        if ($isRemote) {
+            // Warning about fetching from source
+            $host = parse_url($location, PHP_URL_HOST);
+            $this->warn("\nThis will download a module from: {$host}\n\nModules can contain code which would have the ability to do anything on the BookStack host server.\nYou should only install modules from trusted sources.");
+            $trustHost = $this->confirm('Are you sure you trust this source?');
+            if (!$trustHost) {
+                return null;
+            }
+
+            // Check if the connection is http. If so, warn the user.
+            if (str_starts_with($lowerLocation, 'http://')) {
+                $this->warn("You are downloading a module from an insecure HTTP source.\nWe recommend only using HTTPS sources to avoid various security risks.");
+                if (!$this->confirm('Are you sure you want to continue without HTTPS?')) {
+                    return null;
+                }
+            }
+
+            // Download ZIP and get its location
+            return $this->downloadModuleFile($location);
+        }
+
+        // Validate the file and get the full location
+        $zipPath = realpath($location);
+
+        if (!$zipPath || !is_file($zipPath)) {
+            $this->error("ERROR: Module file not found at {$location}");
+            return null;
+        }
+
+        $this->warn("\nThis will install a module from: {$zipPath}\n\nModules can contain code which would have the ability to do anything on the BookStack host server.\nYou should only install modules from trusted sources.");
+        $trustHost = $this->confirm('Are you sure you want to install this module?');
+        if (!$trustHost) {
+            return null;
+        }
+
+        return $zipPath;
+    }
+
+    protected function cleanup(): void
+    {
+        foreach ($this->cleanupActions as $action) {
+            $action();
+        }
+    }
+}

app/Entities/Controllers/BookApiController.php

@@ -7,11 +7,14 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Queries\BookQueries;
+use BookStack\Entities\Queries\BookshelfQueries;
 use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Repos\BookRepo;
 use BookStack\Entities\Tools\BookContents;
 use BookStack\Http\ApiController;
 use BookStack\Permissions\Permission;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;
 
@@ -21,6 +24,7 @@ class BookApiController extends ApiController
         protected BookRepo $bookRepo,
         protected BookQueries $queries,
         protected PageQueries $pageQueries,
+        protected BookshelfQueries $shelfQueries,
     ) {
     }
 
@@ -60,13 +64,20 @@ class BookApiController extends ApiController
      * View the details of a single book.
      * The response data will contain a 'content' property listing the chapter and pages directly within, in
      * the same structure as you'd see within the BookStack interface when viewing a book. Top-level
-     * contents will have a 'type' property to distinguish between pages & chapters.
+     * contents will have a 'type' property to distinguish between pages and chapters.
      */
     public function read(string $id)
     {
         $book = $this->queries->findVisibleByIdOrFail(intval($id));
         $book = $this->forJsonDisplay($book);
-        $book->load(['createdBy', 'updatedBy', 'ownedBy']);
+        $book->load([
+            'createdBy',
+            'updatedBy',
+            'ownedBy',
+            'shelves' => function (BelongsToMany $query) {
+                $query->select(['id', 'name', 'slug'])->scopes('visible');
+            }
+        ]);
 
         $contents = (new BookContents($book))->getTree(true, false)->all();
         $contentsApiData = (new ApiEntityListFormatter($contents))

app/Entities/Controllers/BookController.php

@@ -224,9 +224,14 @@ class BookController extends Controller
     {
         $book = $this->queries->findVisibleBySlugOrFail($bookSlug);
         $this->checkOwnablePermission(Permission::BookDelete, $book);
+        $contextShelf = $this->shelfContext->getContextualShelfForBook($book);
 
         $this->bookRepo->destroy($book);
 
+        if ($contextShelf) {
+            return redirect($contextShelf->getUrl());
+        }
+
         return redirect('/books');
     }
 

app/Entities/Controllers/PageController.php

@@ -21,6 +21,8 @@ use BookStack\Exceptions\PermissionsException;
 use BookStack\Http\Controller;
 use BookStack\Permissions\Permission;
 use BookStack\References\ReferenceFetcher;
+use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use Exception;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Http\Request;
@@ -173,7 +175,7 @@ class PageController extends Controller
     }
 
     /**
-     * Get page from an ajax request.
+     * Get a page from an ajax request.
      *
      * @throws NotFoundException
      */
@@ -183,6 +185,10 @@ class PageController extends Controller
         $page->setHidden(array_diff($page->getHidden(), ['html', 'markdown']));
         $page->makeHidden(['book']);
 
+        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
+        $filter = new HtmlContentFilter($filterConfig);
+        $page->html = $filter->filterString($page->html);
+
         return response()->json($page);
     }
 

app/Entities/Models/Bookshelf.php

@@ -19,7 +19,7 @@ class Bookshelf extends Entity implements HasDescriptionInterface, HasCoverInter
 
     public float $searchFactor = 1.2;
 
-    protected $hidden = ['image_id', 'deleted_at', 'description_html', 'priority', 'default_template_id', 'sort_rule_id', 'entity_id', 'entity_type', 'chapter_id', 'book_id'];
+    protected $hidden = ['pivot', 'image_id', 'deleted_at', 'description_html', 'priority', 'default_template_id', 'sort_rule_id', 'entity_id', 'entity_type', 'chapter_id', 'book_id'];
     protected $fillable = ['name'];
 
     /**

app/Entities/Tools/EntityHtmlDescription.php

@@ -6,6 +6,7 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Bookshelf;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 
 class EntityHtmlDescription
 {
@@ -50,7 +51,13 @@ class EntityHtmlDescription
             return $html;
         }
 
-        return HtmlContentFilter::removeActiveContentFromHtmlString($html);
+        $isEmpty = empty(trim(strip_tags($html)));
+        if ($isEmpty) {
+            return '<p></p>';
+        }
+
+        $filter = new HtmlContentFilter(new HtmlContentFilterConfig());
+        return $filter->filterString($html);
     }
 
     public function getPlain(): string

app/Entities/Tools/PageContent.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Entities\Tools;
 
+use BookStack\App\AppVersion;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
@@ -13,6 +14,7 @@ use BookStack\Uploads\ImageRepo;
 use BookStack\Uploads\ImageService;
 use BookStack\Users\Models\User;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlDocument;
 use BookStack\Util\WebSafeMimeSniffer;
 use Closure;
@@ -37,7 +39,14 @@ class PageContent
     public function setNewHTML(string $html, User $updater): void
     {
         $html = $this->extractBase64ImagesFromHtml($html, $updater);
-        $this->page->html = $this->formatHtml($html);
+        $html = $this->formatHtml($html);
+
+        $themeResult = Theme::dispatch(ThemeEvents::PAGE_CONTENT_PRE_STORE, $html, $this->page);
+        if (is_string($themeResult)) {
+            $html = $themeResult;
+        }
+
+        $this->page->html = $html;
         $this->page->text = $this->toPlainText();
         $this->page->markdown = '';
     }
@@ -50,7 +59,14 @@ class PageContent
         $markdown = $this->extractBase64ImagesFromMarkdown($markdown, $updater);
         $this->page->markdown = $markdown;
         $html = (new MarkdownToHtml($markdown))->convert();
-        $this->page->html = $this->formatHtml($html);
+        $html = $this->formatHtml($html);
+
+        $themeResult = Theme::dispatch(ThemeEvents::PAGE_CONTENT_PRE_STORE, $html, $this->page);
+        if (is_string($themeResult)) {
+            $html = $themeResult;
+        }
+
+        $this->page->html = $html;
         $this->page->text = $this->toPlainText();
     }
 
@@ -79,7 +95,7 @@ class PageContent
 
     /**
      * Convert all inline base64 content to uploaded image files.
-     * Regex is used to locate the start of data-uri definitions then
+     * Regex is used to locate the start of data-uri definitions, then
      * manual looping over content is done to parse the whole data uri.
      * Attempting to capture the whole data uri using regex can cause PHP
      * PCRE limits to be hit with larger, multi-MB, files.
@@ -299,7 +315,7 @@ class PageContent
         $html = $this->page->html ?? '';
 
         if (empty($html)) {
-            return $html;
+            return $this->handlePostRender('');
         }
 
         $doc = new HtmlDocument($html);
@@ -317,11 +333,36 @@ class PageContent
             $this->updateIdsRecursively($doc->getBody(), 0, $idMap, $changeMap);
         }
 
-        if (!config('app.allow_content_scripts')) {
-            HtmlContentFilter::removeActiveContentFromDocument($doc);
+        $cacheKey = $this->getContentCacheKey($doc->getBodyInnerHtml());
+        $cached = cache()->get($cacheKey, null);
+        if ($cached !== null) {
+            return $this->handlePostRender($cached);
         }
 
-        return $doc->getBodyInnerHtml();
+        $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
+        $filter = new HtmlContentFilter($filterConfig);
+        $filtered = $filter->filterDocument($doc);
+
+        $cacheTime = 86400 * 7; // 1 week
+        cache()->put($cacheKey, $filtered, $cacheTime);
+
+        return $this->handlePostRender($filtered);
+    }
+
+    protected function handlePostRender(string $html): string
+    {
+        $themeResult = Theme::dispatch(ThemeEvents::PAGE_CONTENT_POST_RENDER, $html, $this->page);
+        return is_string($themeResult) ? $themeResult : $html;
+    }
+
+    protected function getContentCacheKey(string $html): string
+    {
+        $contentHash = md5($html);
+        $contentId = $this->page->id;
+        $contentTime = $this->page->updated_at?->timestamp ?? time();
+        $appVersion = AppVersion::get();
+        $filterConfig = config('app.content_filtering') ?? '';
+        return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
     }
 
     /**

app/Entities/Tools/PageEditorData.php

@@ -8,6 +8,8 @@ use BookStack\Entities\Queries\EntityQueries;
 use BookStack\Entities\Tools\Markdown\HtmlToMarkdown;
 use BookStack\Entities\Tools\Markdown\MarkdownToHtml;
 use BookStack\Permissions\Permission;
+use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 
 class PageEditorData
 {
@@ -47,6 +49,7 @@ class PageEditorData
         $isDraftRevision = false;
         $this->warnings = [];
         $editActivity = new PageEditActivity($page);
+        $lastEditorId = $page->updated_by ?? user()->id;
 
         if ($editActivity->hasActiveEditing()) {
             $this->warnings[] = $editActivity->activeEditingMessage();
@@ -58,11 +61,20 @@ class PageEditorData
             $page->forceFill($userDraft->only(['name', 'html', 'markdown']));
             $isDraftRevision = true;
             $this->warnings[] = $editActivity->getEditingActiveDraftMessage($userDraft);
+            $lastEditorId = $userDraft->created_by;
         }
 
+        // Get editor type and handle changes
         $editorType = $this->getEditorType($page);
         $this->updateContentForEditor($page, $editorType);
 
+        // Filter HTML content if required
+        if ($editorType->isHtmlBased() && !old('html') && $lastEditorId !== user()->id) {
+            $filterConfig = HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'));
+            $filter = new HtmlContentFilter($filterConfig);
+            $page->html = $filter->filterString($page->html);
+        }
+
         return [
             'page'            => $page,
             'book'            => $page->book,

app/Theming/CustomHtmlHeadContentProvider.php

@@ -4,25 +4,17 @@ namespace BookStack\Theming;
 
 use BookStack\Util\CspService;
 use BookStack\Util\HtmlContentFilter;
+use BookStack\Util\HtmlContentFilterConfig;
 use BookStack\Util\HtmlNonceApplicator;
 use Illuminate\Contracts\Cache\Repository as Cache;
 
 class CustomHtmlHeadContentProvider
 {
-    /**
-     * @var CspService
-     */
-    protected $cspService;
-
-    /**
-     * @var Cache
-     */
-    protected $cache;
-
-    public function __construct(CspService $cspService, Cache $cache)
-    {
-        $this->cspService = $cspService;
-        $this->cache = $cache;
+    public function __construct(
+        protected CspService $cspService,
+        protected Cache $cache,
+        protected ThemeService $themeService,
+    ) {
     }
 
     /**
@@ -32,8 +24,9 @@ class CustomHtmlHeadContentProvider
     public function forWeb(): string
     {
         $content = $this->getSourceContent();
-        $hash = md5($content);
+        $hash = md5($content) . ':' . $this->themeService->getModulesHash();
         $html = $this->cache->remember('custom-head-web:' . $hash, 86400, function () use ($content) {
+            $content .= "\n" . $this->getModuleHeadContent();
             return HtmlNonceApplicator::prepare($content);
         });
 
@@ -50,7 +43,8 @@ class CustomHtmlHeadContentProvider
         $hash = md5($content);
 
         return $this->cache->remember('custom-head-export:' . $hash, 86400, function () use ($content) {
-            return HtmlContentFilter::removeActiveContentFromHtmlString($content);
+            $config = new HtmlContentFilterConfig(filterOutNonContentElements: false, useAllowListFilter: false);
+            return (new HtmlContentFilter($config))->filterString($content);
         });
     }
 
@@ -61,4 +55,23 @@ class CustomHtmlHeadContentProvider
     {
         return setting('app-custom-head', '');
     }
+
+    /**
+     * Get any custom head content from installed modules.
+     */
+    protected function getModuleHeadContent(): string
+    {
+        $content = '';
+        foreach ($this->themeService->getModules() as $module) {
+            $headContentPath = $module->path('head');
+            if (file_exists($headContentPath) && is_dir($headContentPath)) {
+                $htmlFiles = glob($headContentPath . '/*.html');
+                foreach ($htmlFiles as $file) {
+                    $content .= file_get_contents($file);
+                }
+            }
+        }
+
+        return $content;
+    }
 }

app/Theming/ThemeController.php

@@ -5,21 +5,22 @@ namespace BookStack\Theming;
 use BookStack\Facades\Theme;
 use BookStack\Http\Controller;
 use BookStack\Util\FilePathNormalizer;
+use Symfony\Component\HttpFoundation\StreamedResponse;
 
 class ThemeController extends Controller
 {
     /**
      * Serve a public file from the configured theme.
      */
-    public function publicFile(string $theme, string $path)
+    public function publicFile(string $theme, string $path): StreamedResponse
     {
         $cleanPath = FilePathNormalizer::normalize($path);
         if ($theme !== Theme::getTheme() || !$cleanPath) {
             abort(404);
         }
 
-        $filePath = theme_path("public/{$cleanPath}");
-        if (!file_exists($filePath)) {
+        $filePath = Theme::findFirstFile("public/{$cleanPath}");
+        if (!$filePath) {
             abort(404);
         }
 

app/Theming/ThemeEvents.php

@@ -87,6 +87,17 @@ class ThemeEvents
      */
     const COMMONMARK_ENVIRONMENT_CONFIGURE = 'commonmark_environment_configure';
 
+    /**
+     * OIDC auth pre-redirect event.
+     * Runs just before BookStack redirects the user to the identity provider for authentication.
+     * Provides the redirect URL that will be used.
+     * If the listener returns a string value, that will be used as the redirect URL instead.
+     *
+     * @param string $redirectUrl
+     * @return string|null
+     */
+    const OIDC_AUTH_PRE_REDIRECT = 'oidc_auth_pre_redirect';
+
     /**
      * OIDC ID token pre-validate event.
      * Runs just before BookStack validates the user ID token data upon login.
@@ -100,6 +111,31 @@ class ThemeEvents
      */
     const OIDC_ID_TOKEN_PRE_VALIDATE = 'oidc_id_token_pre_validate';
 
+    /**
+     * Page content post-render event.
+     * Runs after any display rendering of page content, typically when page content is being processed for viewing.
+     * Rendering typically includes parsing of page includes, and content filtering.
+     * Provides the HTML content about to be shown, along with the related page instance.
+     * If the listener returns a string value, that will be used as the HTML content instead.
+     *
+     * @param string $html
+     * @param \BookStack\Entities\Models\Page $page
+     * @return string|null
+     */
+    const PAGE_CONTENT_POST_RENDER = 'page_content_post_render';
+
+    /**
+     * Page content pre-store event.
+     * Runs just before page HTML is stored in the database, after BookStack's own processing.
+     * Provides the HTML content about to be stored, along with the related page instance.
+     * If the listener returns a string value, that will be used as the HTML content instead.
+     *
+     * @param string $html
+     * @param \BookStack\Entities\Models\Page $page
+     * @return string|null
+     */
+    const PAGE_CONTENT_PRE_STORE = 'page_content_pre_store';
+
     /**
      * Page include parse event.
      * Runs when a page include tag is being parsed, typically when page content is being processed for viewing.
@@ -134,6 +170,16 @@ class ThemeEvents
      */
     const ROUTES_REGISTER_WEB_AUTH = 'routes_register_web_auth';
 
+
+    /**
+     * Theme register views event.
+     * Called by the theme system when a theme is active, so that custom view templates can be registered
+     * to be rendered in addition to existing app views.
+     *
+     * @param \BookStack\Theming\ThemeViews $themeViews
+     */
+    const THEME_REGISTER_VIEWS = 'theme_register_views';
+
     /**
      * Web before middleware action.
      * Runs before the request is handled but after all other middleware apart from those

app/Theming/ThemeModule.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace BookStack\Theming;
+
+readonly class ThemeModule
+{
+    public function __construct(
+        public string $name,
+        public string $description,
+        public string $version,
+        public string $folderName,
+    ) {
+    }
+
+    /**
+     * Create a ThemeModule instance from JSON data.
+     *
+     * @throws ThemeModuleException
+     */
+    public static function fromJson(array $data, string $folderName): self
+    {
+        if (empty($data['name']) || !is_string($data['name'])) {
+            throw new ThemeModuleException("Module in folder \"{$folderName}\" is missing a valid 'name' property");
+        }
+
+        if (!isset($data['description']) || !is_string($data['description'])) {
+            throw new ThemeModuleException("Module in folder \"{$folderName}\" is missing a valid 'description' property");
+        }
+
+        if (!isset($data['version']) || !is_string($data['version'])) {
+            throw new ThemeModuleException("Module in folder \"{$folderName}\" is missing a valid 'version' property");
+        }
+
+        if (!preg_match('/^v?\d+\.\d+\.\d+(-.*)?$/', $data['version'])) {
+            throw new ThemeModuleException("Module in folder \"{$folderName}\" has an invalid 'version' format. Expected semantic version format like '1.0.0' or 'v1.0.0'");
+        }
+
+        return new self(
+            name: $data['name'],
+            description: $data['description'],
+            version: $data['version'],
+            folderName: $folderName,
+        );
+    }
+
+    /**
+     * Get a path for a file within this module.
+     */
+    public function path($path = ''): string
+    {
+        $component = trim($path, '/');
+        return theme_path("modules/{$this->folderName}/{$component}");
+    }
+
+    public function getVersion(): string
+    {
+        return str_starts_with($this->version, 'v') ? $this->version : 'v' . $this->version;
+    }
+}

app/Theming/ThemeModuleException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace BookStack\Theming;
+
+class ThemeModuleException extends \Exception
+{
+}

app/Theming/ThemeModuleManager.php

@@ -0,0 +1,133 @@
+<?php
+
+namespace BookStack\Theming;
+
+use Illuminate\Support\Str;
+
+class ThemeModuleManager
+{
+    /** @var array<string, ThemeModule>|null */
+    protected array|null $loadedModules = null;
+
+    public function __construct(
+        protected string $modulesFolderPath
+    ) {
+    }
+
+    /**
+     * @return array<string, ThemeModule>
+     */
+    public function getByName(string $name): array
+    {
+        return array_filter($this->load(), fn(ThemeModule $module) => $module->name === $name);
+    }
+
+    public function deleteModuleFolder(string $moduleFolderName): void
+    {
+        $modules = $this->load();
+        $module = $modules[$moduleFolderName] ?? null;
+        if (!$module) {
+            return;
+        }
+
+        $moduleFolderPath = $module->path('');
+        if (!file_exists($moduleFolderPath)) {
+            return;
+        }
+
+        $this->deleteDirectoryRecursively($moduleFolderPath);
+        unset($this->loadedModules[$moduleFolderName]);
+    }
+
+    /**
+     * @throws ThemeModuleException
+     */
+    public function addFromZip(string $name, ThemeModuleZip $zip): ThemeModule
+    {
+        $baseFolderName = Str::limit(Str::slug($name), 40, '');
+        $folderName = $baseFolderName;
+        while (!$baseFolderName || file_exists($this->modulesFolderPath . DIRECTORY_SEPARATOR . $folderName)) {
+            $folderName = ($baseFolderName ?: 'mod') . '-' . Str::random(4);
+        }
+
+        $folderPath = $this->modulesFolderPath . DIRECTORY_SEPARATOR . $folderName;
+        $zip->extractTo($folderPath);
+
+        $module = $this->loadFromFolder($folderName);
+        if (!$module) {
+            throw new ThemeModuleException("Failed to load module from zip file after extraction");
+        }
+
+        return $module;
+    }
+
+    protected function deleteDirectoryRecursively(string $path): void
+    {
+        $items = array_diff(scandir($path), ['.', '..']);
+        foreach ($items as $item) {
+            $itemPath = $path . DIRECTORY_SEPARATOR . $item;
+            if (is_dir($itemPath)) {
+                $this->deleteDirectoryRecursively($itemPath);
+            } else {
+                $deleted = unlink($itemPath);
+                if (!$deleted) {
+                    throw new ThemeModuleException("Failed to delete file at \"{$itemPath}\"");
+                }
+            }
+        }
+        rmdir($path);
+    }
+
+    public function load(): array
+    {
+        if ($this->loadedModules !== null) {
+            return $this->loadedModules;
+        }
+
+        if (!is_dir($this->modulesFolderPath)) {
+            return [];
+        }
+
+        $subFolders = array_filter(scandir($this->modulesFolderPath), function ($item) {
+            return $item !== '.' && $item !== '..' && is_dir($this->modulesFolderPath . DIRECTORY_SEPARATOR . $item);
+        });
+
+        $modules = [];
+
+        foreach ($subFolders as $folderName) {
+            $module = $this->loadFromFolder($folderName);
+            if ($module) {
+                $modules[$folderName] = $module;
+            }
+        }
+
+        $this->loadedModules = $modules;
+
+        return $modules;
+    }
+
+    protected function loadFromFolder(string $folderName): ThemeModule|null
+    {
+        $moduleJsonFile = $this->modulesFolderPath . DIRECTORY_SEPARATOR . $folderName . DIRECTORY_SEPARATOR . 'bookstack-module.json';
+        if (!file_exists($moduleJsonFile)) {
+            return null;
+        }
+
+        try {
+            $jsonContent = file_get_contents($moduleJsonFile);
+            $jsonData = json_decode($jsonContent, true);
+
+            if (json_last_error() !== JSON_ERROR_NONE) {
+                throw new ThemeModuleException("Invalid JSON in module file at \"{$moduleJsonFile}\": " . json_last_error_msg());
+            }
+
+            $module = ThemeModule::fromJson($jsonData, $folderName);
+        } catch (ThemeModuleException $exception) {
+            throw $exception;
+        } catch (\Exception $exception) {
+            throw new ThemeModuleException("Failed loading module from \"{$moduleJsonFile}\" with error: {$exception->getMessage()}");
+        }
+
+        return $module;
+    }
+}

app/Theming/ThemeModuleZip.php

@@ -0,0 +1,98 @@
+<?php
+
+namespace BookStack\Theming;
+
+use ZipArchive;
+
+readonly class ThemeModuleZip
+{
+    public function __construct(
+        protected string $path
+    ) {
+    }
+
+    public function extractTo(string $destinationPath): void
+    {
+        $zip = new ZipArchive();
+        $zip->open($this->path);
+        $zip->extractTo($destinationPath);
+        $zip->close();
+    }
+
+    /**
+     * Read the module's JSON metadata to read it into a ThemeModule instance.
+     * @throws ThemeModuleException
+     */
+    public function getModuleInstance(): ThemeModule
+    {
+        $zip = new ZipArchive();
+        $open = $zip->open($this->path);
+        if ($open !== true) {
+            throw new ThemeModuleException("Unable to open zip file at {$this->path}");
+        }
+
+        $moduleJsonText = $zip->getFromName('bookstack-module.json');
+        $zip->close();
+
+        if ($moduleJsonText === false) {
+            throw new ThemeModuleException("bookstack-module.json not found within module ZIP at {$this->path}");
+        }
+
+        $moduleJson = json_decode($moduleJsonText, true);
+        if ($moduleJson === null) {
+            throw new ThemeModuleException("Could not read JSON from bookstack-module.json within module ZIP at {$this->path}");
+        }
+
+        return ThemeModule::fromJson($moduleJson, '_temp');
+    }
+
+    /**
+     * Get the path to the zip file.
+     */
+    public function getPath(): string
+    {
+        return $this->path;
+    }
+
+    /**
+     * Check if the zip file exists and that it appears to be a valid zip file.
+     */
+    public function exists(): bool
+    {
+        if (!file_exists($this->path)) {
+            return false;
+        }
+
+        $zip = new ZipArchive();
+        $open = $zip->open($this->path, ZipArchive::RDONLY);
+        if ($open === true) {
+            $zip->close();
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Get the total size of the zip file contents when uncompressed.
+     */
+    public function getContentsSize(): int
+    {
+        $zip = new ZipArchive();
+
+        if ($zip->open($this->path) !== true) {
+            return 0;
+        }
+
+        $totalSize = 0;
+        for ($i = 0; $i < $zip->numFiles; $i++) {
+            $stat = $zip->statIndex($i);
+            if ($stat !== false) {
+                $totalSize += $stat['size'];
+            }
+        }
+
+        $zip->close();
+
+        return $totalSize;
+    }
+}

app/Theming/ThemeService.php

@@ -6,6 +6,7 @@ use BookStack\Access\SocialDriverManager;
 use BookStack\Exceptions\ThemeException;
 use Illuminate\Console\Application;
 use Illuminate\Console\Application as Artisan;
+use Illuminate\View\FileViewFinder;
 use Symfony\Component\Console\Command\Command;
 
 class ThemeService
@@ -15,6 +16,11 @@ class ThemeService
      */
     protected array $listeners = [];
 
+    /**
+     * @var array<string, ThemeModule>
+     */
+    protected array $modules = [];
+
     /**
      * Get the currently configured theme.
      * Returns an empty string if not configured.
@@ -76,20 +82,85 @@ class ThemeService
     }
 
     /**
-     * Read any actions from the set theme path if the 'functions.php' file exists.
+     * Read any actions from the 'functions.php' file of the active theme or its modules.
      */
     public function readThemeActions(): void
     {
-        $themeActionsFile = theme_path('functions.php');
-        if ($themeActionsFile && file_exists($themeActionsFile)) {
+        $moduleFunctionFiles = array_map(function (ThemeModule $module): string {
+            return $module->path('functions.php');
+        }, $this->modules);
+        $allFunctionFiles = array_merge(array_values($moduleFunctionFiles), [theme_path('functions.php')]);
+        $filteredFunctionFiles = array_filter($allFunctionFiles, function (string $file): bool {
+            return $file && file_exists($file);
+        });
+
+        foreach ($filteredFunctionFiles as $functionFile) {
             try {
-                require $themeActionsFile;
+                require $functionFile;
             } catch (\Error $exception) {
-                throw new ThemeException("Failed loading theme functions file at \"{$themeActionsFile}\" with error: {$exception->getMessage()}");
+                throw new ThemeException("Failed loading theme functions file at \"{$functionFile}\" with error: {$exception->getMessage()}");
             }
         }
     }
 
+    /**
+     * Read the modules folder and load in any valid theme modules.
+     * @throws ThemeModuleException
+     */
+    public function loadModules(): void
+    {
+        $modulesFolder = theme_path('modules');
+        if (!$modulesFolder) {
+            return;
+        }
+
+        $this->modules = (new ThemeModuleManager($modulesFolder))->load();
+    }
+
+    /**
+     * Get all loaded theme modules.
+     * @return array<string, ThemeModule>
+     */
+    public function getModules(): array
+    {
+        return $this->modules;
+    }
+
+    /**
+     * Get a hash to represent the currently loaded modules.
+     */
+    public function getModulesHash(): string
+    {
+        $key = "";
+
+        foreach ($this->modules as $module) {
+            $key .= $module->name . ':' . $module->version . ';';
+        }
+
+        return md5($key);
+    }
+
+    /**
+     * Look for a specific file within the theme or its modules.
+     * Returns the first file found or null if not found.
+     */
+    public function findFirstFile(string $path): ?string
+    {
+        $themePath = theme_path($path);
+        if (file_exists($themePath)) {
+            return $themePath;
+        }
+
+        foreach ($this->modules as $module) {
+            $customizedFile = $module->path($path);
+            if (file_exists($customizedFile)) {
+                return $customizedFile;
+            }
+        }
+
+        return null;
+    }
+
     /**
      * @see SocialDriverManager::addSocialDriver
      */

app/Theming/ThemeViews.php

@@ -0,0 +1,115 @@
+<?php
+
+namespace BookStack\Theming;
+
+use BookStack\Exceptions\ThemeException;
+use Illuminate\View\FileViewFinder;
+
+class ThemeViews
+{
+    /**
+     * @var array<string, array<string, int>>
+     */
+    protected array $beforeViews = [];
+
+    /**
+     * @var array<string, array<string, int>>
+     */
+    protected array $afterViews = [];
+
+    public function __construct(
+        protected FileViewFinder $finder
+    ) {
+    }
+
+    /**
+     * Register any extra paths for where we may expect views to be located
+     * with the FileViewFinder, to make custom views available for use.
+     * @param ThemeModule[] $modules
+     */
+    public function registerViewPathsForTheme(array $modules): void
+    {
+        foreach ($modules as $module) {
+            $moduleViewsPath = $module->path('views');
+            if (file_exists($moduleViewsPath) && is_dir($moduleViewsPath)) {
+                $this->finder->prependLocation($moduleViewsPath);
+            }
+        }
+
+        $this->finder->prependLocation(theme_path());
+    }
+
+    /**
+     * Provide the response for a blade template view include.
+     */
+    public function handleViewInclude(string $viewPath, array $data = [], array $mergeData = []): string
+    {
+        if (!$this->hasRegisteredViews()) {
+            return view()->make($viewPath, $data, $mergeData)->render();
+        }
+
+        if (str_contains('book-tree', $viewPath)) {
+            dd($viewPath, $data);
+        }
+
+        $viewsContent = [
+            ...$this->renderViewSets($this->beforeViews[$viewPath] ?? [], $data, $mergeData),
+            view()->make($viewPath, $data, $mergeData)->render(),
+            ...$this->renderViewSets($this->afterViews[$viewPath] ?? [], $data, $mergeData),
+        ];
+
+        return implode("\n", $viewsContent);
+    }
+
+    /**
+     * Register a custom view to be rendered before the given target view is included in the template system.
+     */
+    public function renderBefore(string $targetView, string $localView, int $priority = 50): void
+    {
+        $this->registerAdjacentView($this->beforeViews, $targetView, $localView, $priority);
+    }
+
+    /**
+     * Register a custom view to be rendered after the given target view is included in the template system.
+     */
+    public function renderAfter(string $targetView, string $localView, int $priority = 50): void
+    {
+        $this->registerAdjacentView($this->afterViews, $targetView, $localView, $priority);
+    }
+
+    public function hasRegisteredViews(): bool
+    {
+        return !empty($this->beforeViews) || !empty($this->afterViews);
+    }
+
+    protected function registerAdjacentView(array &$location, string $targetView, string $localView, int $priority = 50): void
+    {
+        try {
+            $viewPath = $this->finder->find($localView);
+        } catch (\InvalidArgumentException $exception) {
+            throw new ThemeException("Expected registered view file with name \"{$localView}\" could not be found.");
+        }
+
+        if (!isset($location[$targetView])) {
+            $location[$targetView] = [];
+        }
+
+        $location[$targetView][$viewPath] = $priority;
+    }
+
+    /**
+     * @param array<string, int> $viewSet
+     * @return string[]
+     */
+    protected function renderViewSets(array $viewSet, array $data, array $mergeData): array
+    {
+        $paths = array_keys($viewSet);
+        usort($paths, function (string $a, string $b) use ($viewSet) {
+            return $viewSet[$a] <=> $viewSet[$b];
+        });
+
+        return array_map(function (string $viewPath) use ($data, $mergeData) {
+            return view()->file($viewPath, $data, $mergeData)->render();
+        }, $paths);
+    }
+}

app/Translation/FileLoader.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Translation;
 
+use BookStack\Facades\Theme;
 use Illuminate\Translation\FileLoader as BaseLoader;
 
 class FileLoader extends BaseLoader
@@ -12,11 +13,6 @@ class FileLoader extends BaseLoader
      * Extends Laravel's translation FileLoader to look in multiple directories
      * so that we can load in translation overrides from the theme file if wanted.
      *
-     * Note: As of using Laravel 10, this may now be redundant since Laravel's
-     * file loader supports multiple paths. This needs further testing though
-     * to confirm if Laravel works how we expect, since we specifically need
-     * the theme folder to be able to partially override core lang files.
-     *
      * @param string      $locale
      * @param string      $group
      * @param string|null $namespace
@@ -32,9 +28,18 @@ class FileLoader extends BaseLoader
         if (is_null($namespace) || $namespace === '*') {
             $themePath = theme_path('lang');
             $themeTranslations = $themePath ? $this->loadPaths([$themePath], $locale, $group) : [];
-            $originalTranslations = $this->loadPaths($this->paths, $locale, $group);
 
-            return array_merge($originalTranslations, $themeTranslations);
+            $modules = Theme::getModules();
+            $moduleTranslations = [];
+            foreach ($modules as $module) {
+                $modulePath = $module->path('lang');
+                if (file_exists($modulePath)) {
+                    $moduleTranslations = array_merge($moduleTranslations, $this->loadPaths([$modulePath], $locale, $group));
+                }
+            }
+
+            $originalTranslations = $this->loadPaths($this->paths, $locale, $group);
+            return array_merge($originalTranslations, $moduleTranslations, $themeTranslations);
         }
 
         return $this->loadNamespaced($locale, $group, $namespace);

app/Users/Controllers/UserController.php

@@ -208,4 +208,17 @@ class UserController extends Controller
 
         return redirect('/settings/users');
     }
+
+    /**
+     * Reset MFA for the specified user.
+     */
+    public function resetMfa(Request $request, int $id)
+    {
+        $this->checkPermission(Permission::UsersManage);
+        $user = $this->userRepo->getById($id);
+        // Resetear el 2FA del usuario 
+        $user->mfaValues()->delete();
+        session()->flash('success', trans('settings.users_mfa_reset_success', ['userName' => $user->name]));
+        return redirect()->back();
+    }
 }

app/Util/ConfiguredHtmlPurifier.php

@@ -0,0 +1,158 @@
+<?php
+
+namespace BookStack\Util;
+
+use BookStack\App\AppVersion;
+use HTMLPurifier;
+use HTMLPurifier_Config;
+use HTMLPurifier_DefinitionCache_Serializer;
+use HTMLPurifier_HTML5Config;
+use HTMLPurifier_HTMLDefinition;
+
+/**
+ * Provides a configured HTML Purifier instance.
+ * https://github.com/ezyang/htmlpurifier
+ * Also uses this to extend support to HTML5 elements:
+ * https://github.com/xemlock/htmlpurifier-html5
+ */
+class ConfiguredHtmlPurifier
+{
+    protected HTMLPurifier $purifier;
+    protected static bool $cachedChecked = false;
+
+    public function __construct()
+    {
+        // This is done by the web-server at run-time, with the existing
+        // storage/framework/cache folder to ensure we're using a server-writable folder.
+        $cachePath = storage_path('framework/cache/purifier');
+        $this->createCacheFolderIfNeeded($cachePath);
+
+        $config = HTMLPurifier_HTML5Config::createDefault();
+        $this->setConfig($config, $cachePath);
+        $this->resetCacheIfNeeded($config);
+
+        $htmlDef = $config->getDefinition('HTML', true, true);
+        if ($htmlDef instanceof HTMLPurifier_HTMLDefinition) {
+            $this->configureDefinition($htmlDef);
+        }
+
+        $this->purifier = new HTMLPurifier($config);
+    }
+
+    protected function createCacheFolderIfNeeded(string $cachePath): void
+    {
+        if (!file_exists($cachePath)) {
+            mkdir($cachePath, 0777, true);
+        }
+    }
+
+    protected function resetCacheIfNeeded(HTMLPurifier_Config $config): void
+    {
+        if (self::$cachedChecked) {
+            return;
+        }
+
+        $cachedForVersion = cache('htmlpurifier::cache-version');
+        $appVersion = AppVersion::get();
+        if ($cachedForVersion !== $appVersion) {
+            foreach (['HTML', 'CSS', 'URI'] as $name) {
+                $cache = new HTMLPurifier_DefinitionCache_Serializer($name);
+                $cache->flush($config);
+            }
+            cache()->set('htmlpurifier::cache-version', $appVersion);
+        }
+
+        self::$cachedChecked = true;
+    }
+
+    protected function setConfig(HTMLPurifier_Config $config, string $cachePath): void
+    {
+        $config->set('Cache.SerializerPath', $cachePath);
+        $config->set('Core.AllowHostnameUnderscore', true);
+        $config->set('CSS.AllowTricky', true);
+        $config->set('HTML.SafeIframe', true);
+        $config->set('HTML.TargetNoopener', false);
+        $config->set('HTML.TargetNoreferrer', false);
+        $config->set('Attr.EnableID', true);
+        $config->set('Attr.ID.HTML5', true);
+        $config->set('Output.FixInnerHTML', false);
+        $config->set('URI.SafeIframeRegexp', '%^(http://|https://|//)%');
+        $config->set('URI.AllowedSchemes', [
+            'http' => true,
+            'https' => true,
+            'mailto' => true,
+            'ftp' => true,
+            'nntp' => true,
+            'news' => true,
+            'tel' => true,
+            'file' => true,
+        ]);
+
+         // $config->set('Cache.DefinitionImpl', null); // Disable cache during testing
+    }
+
+    public function configureDefinition(HTMLPurifier_HTMLDefinition $definition): void
+    {
+        // Allow the object element
+        $definition->addElement(
+            'object',
+            'Inline',
+            'Flow',
+            'Common',
+            [
+                'data'   => 'URI',
+                'type'   => 'Text',
+                'width'  => 'Length',
+                'height' => 'Length',
+            ]
+        );
+
+        // Allow the embed element
+        $definition->addElement(
+            'embed',
+            'Inline',
+            'Empty',
+            'Common',
+            [
+                'src'   => 'URI',
+                'type'   => 'Text',
+                'width'  => 'Length',
+                'height' => 'Length',
+            ]
+        );
+
+        // Allow checkbox inputs
+        $definition->addElement(
+            'input',
+            'Formctrl',
+            'Empty',
+            'Common',
+            [
+                'checked' => 'Bool#checked',
+                'disabled' => 'Bool#disabled',
+                'name' => 'Text',
+                'readonly' => 'Bool#readonly',
+                'type' => 'Enum#checkbox',
+                'value' => 'Text',
+            ]
+        );
+
+        // Allow the drawio-diagram attribute on div elements
+        $definition->addAttribute(
+            'div',
+            'drawio-diagram',
+            'Number',
+        );
+
+        // Allow target="_blank" on links
+        $definition->addAttribute('a', 'target', 'Enum#_blank');
+
+        // Allow mention-ids on links
+        $definition->addAttribute('a', 'data-mention-user-id', 'Number');
+    }
+
+    public function purify(string $html): string
+    {
+        return $this->purifier->purify($html);
+    }
+}

app/Util/CspService.php

@@ -65,7 +65,7 @@ class CspService
      */
     protected function getScriptSrc(): string
     {
-        if (config('app.allow_content_scripts')) {
+        if ($this->scriptFilteringDisabled()) {
             return '';
         }
 
@@ -108,7 +108,7 @@ class CspService
      */
     protected function getObjectSrc(): string
     {
-        if (config('app.allow_content_scripts')) {
+        if ($this->scriptFilteringDisabled()) {
             return '';
         }
 
@@ -124,6 +124,11 @@ class CspService
         return "base-uri 'self'";
     }
 
+    protected function scriptFilteringDisabled(): bool
+    {
+        return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
+    }
+
     protected function getAllowedIframeHosts(): array
     {
         $hosts = config('app.iframe_hosts') ?? '';

app/Util/HtmlContentFilter.php

@@ -8,12 +8,46 @@ use DOMNodeList;
 
 class HtmlContentFilter
 {
-    /**
-     * Remove all active content from the given HTML document.
-     * This aims to cover anything which can dynamically deal with, or send, data
-     * like any JavaScript actions or form content.
-     */
-    public static function removeActiveContentFromDocument(HtmlDocument $doc): void
+    public function __construct(
+        protected HtmlContentFilterConfig $config
+    ) {
+    }
+
+    public function filterDocument(HtmlDocument $doc): string
+    {
+        if ($this->config->filterOutJavaScript) {
+            $this->filterOutScriptsFromDocument($doc);
+        }
+        if ($this->config->filterOutFormElements) {
+            $this->filterOutFormElementsFromDocument($doc);
+        }
+        if ($this->config->filterOutBadHtmlElements) {
+            $this->filterOutBadHtmlElementsFromDocument($doc);
+        }
+        if ($this->config->filterOutNonContentElements) {
+            $this->filterOutNonContentElementsFromDocument($doc);
+        }
+
+        $filtered = $doc->getBodyInnerHtml();
+        if ($this->config->useAllowListFilter) {
+            $filtered = $this->applyAllowListFiltering($filtered);
+        }
+
+        return $filtered;
+    }
+
+    public function filterString(string $html): string
+    {
+        return $this->filterDocument(new HtmlDocument($html));
+    }
+
+    protected function applyAllowListFiltering(string $html): string
+    {
+        $purifier = new ConfiguredHtmlPurifier();
+        return $purifier->purify($html);
+    }
+
+    protected function filterOutScriptsFromDocument(HtmlDocument $doc): void
     {
         // Remove standard script tags
         $scriptElems = $doc->queryXPath('//script');
@@ -27,17 +61,17 @@ class HtmlContentFilter
         $badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
         static::removeNodes($badForms);
 
-        // Remove meta tag to prevent external redirects
-        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
-        static::removeNodes($metaTags);
-
-        // Remove data or JavaScript iFrames
+        // Remove data or JavaScript iFrames & embeds
         $badIframes = $doc->queryXPath('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
         static::removeNodes($badIframes);
 
+        // Remove data or JavaScript objects
+        $badObjects = $doc->queryXPath('//*[' . static::xpathContains('@data', 'data:') . '] | //*[' . static::xpathContains('@data', 'javascript:') . ']');
+        static::removeNodes($badObjects);
+
         // Remove attributes, within svg children, hiding JavaScript or data uris.
         // A bunch of svg element and attribute combinations expose xss possibilities.
-        // For example, SVG animate tag can exploit javascript in values.
+        // For example, SVG animate tag can exploit JavaScript in values.
         $badValuesAttrs = $doc->queryXPath('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
         static::removeAttributes($badValuesAttrs);
 
@@ -49,7 +83,10 @@ class HtmlContentFilter
         // Remove 'on*' attributes
         $onAttributes = $doc->queryXPath('//@*[starts-with(name(), \'on\')]');
         static::removeAttributes($onAttributes);
+    }
 
+    protected function filterOutFormElementsFromDocument(HtmlDocument $doc): void
+    {
         // Remove form elements
         $formElements = ['form', 'fieldset', 'button', 'textarea', 'select'];
         foreach ($formElements as $formElement) {
@@ -75,41 +112,21 @@ class HtmlContentFilter
         }
     }
 
-    /**
-     * Remove active content from the given HTML string.
-     * This aims to cover anything which can dynamically deal with, or send, data
-     * like any JavaScript actions or form content.
-     */
-    public static function removeActiveContentFromHtmlString(string $html): string
+    protected function filterOutBadHtmlElementsFromDocument(HtmlDocument $doc): void
     {
-        if (empty($html)) {
-            return $html;
+        // Remove meta tag to prevent external redirects
+        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
+        static::removeNodes($metaTags);
+    }
+
+    protected function filterOutNonContentElementsFromDocument(HtmlDocument $doc): void
+    {
+        // Remove non-content elements
+        $formElements = ['link', 'style', 'meta', 'title', 'template'];
+        foreach ($formElements as $formElement) {
+            $matchingFormElements = $doc->queryXPath('//' . $formElement);
+            static::removeNodes($matchingFormElements);
         }
-
-        $doc = new HtmlDocument($html);
-        static::removeActiveContentFromDocument($doc);
-
-        return $doc->getBodyInnerHtml();
-    }
-
-    /**
-     * Alias using the old method name to avoid potential compatibility breaks during patch release.
-     * To remove in future feature release.
-     * @deprecated Use removeActiveContentFromDocument instead.
-     */
-    public static function removeScriptsFromDocument(HtmlDocument $doc): void
-    {
-        static::removeActiveContentFromDocument($doc);
-    }
-
-    /**
-     * Alias using the old method name to avoid potential compatibility breaks during patch release.
-     * To remove in future feature release.
-     * @deprecated Use removeActiveContentFromHtmlString instead.
-     */
-    public static function removeScriptsFromHtmlString(string $html): string
-    {
-        return static::removeActiveContentFromHtmlString($html);
     }
 
     /**
@@ -147,4 +164,34 @@ class HtmlContentFilter
             $parentNode->removeAttribute($attrName);
         }
     }
+
+    /**
+     * Alias using the old method name to avoid potential compatibility breaks during patch release.
+     * To remove in future feature release.
+     * @deprecated Use filterDocument instead.
+     */
+    public static function removeScriptsFromDocument(HtmlDocument $doc): void
+    {
+        $config = new HtmlContentFilterConfig(
+            filterOutNonContentElements: false,
+            useAllowListFilter: false,
+        );
+        $filter = new self($config);
+        $filter->filterDocument($doc);
+    }
+
+    /**
+     * Alias using the old method name to avoid potential compatibility breaks during patch release.
+     * To remove in future feature release.
+     * @deprecated Use filterString instead.
+     */
+    public static function removeScriptsFromHtmlString(string $html): string
+    {
+        $config = new HtmlContentFilterConfig(
+            filterOutNonContentElements: false,
+            useAllowListFilter: false,
+        );
+        $filter = new self($config);
+        return $filter->filterString($html);
+    }
 }

app/Util/HtmlContentFilterConfig.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace BookStack\Util;
+
+readonly class HtmlContentFilterConfig
+{
+    public function __construct(
+        public bool $filterOutJavaScript = true,
+        public bool $filterOutBadHtmlElements = true,
+        public bool $filterOutFormElements = true,
+        public bool $filterOutNonContentElements = true,
+        public bool $useAllowListFilter = true,
+    ) {
+    }
+
+    /**
+     * Create an instance from a config string, where the string
+     * is a combination of characters to enable filters.
+     */
+    public static function fromConfigString(string $config): self
+    {
+        $config = strtolower($config);
+        return new self(
+            filterOutJavaScript: str_contains($config, 'j'),
+            filterOutBadHtmlElements: str_contains($config, 'h'),
+            filterOutFormElements: str_contains($config, 'f'),
+            filterOutNonContentElements: str_contains($config, 'h'),
+            useAllowListFilter: str_contains($config, 'a'),
+        );
+    }
+}

app/Util/HtmlDocument.php

@@ -103,7 +103,13 @@ class HtmlDocument
      */
     public function getBody(): DOMNode
     {
-        return $this->document->getElementsByTagName('body')[0];
+        $bodies = $this->document->getElementsByTagName('body');
+
+        if ($bodies->length === 0) {
+            return new DOMElement('body', '');
+        }
+
+        return $bodies[0];
     }
 
     /**

app/Util/SvgIcon.php

@@ -2,6 +2,8 @@
 
 namespace BookStack\Util;
 
+use BookStack\Facades\Theme;
+
 class SvgIcon
 {
     public function __construct(
@@ -23,12 +25,9 @@ class SvgIcon
             $attrString .= $attrName . '="' . $attr . '" ';
         }
 
-        $iconPath = resource_path('icons/' . $this->name . '.svg');
-        $themeIconPath = theme_path('icons/' . $this->name . '.svg');
-
-        if ($themeIconPath && file_exists($themeIconPath)) {
-            $iconPath = $themeIconPath;
-        } elseif (!file_exists($iconPath)) {
+        $defaultIconPath = resource_path('icons/' . $this->name . '.svg');
+        $iconPath = Theme::findFirstFile("icons/{$this->name}.svg") ?? $defaultIconPath;
+        if (!file_exists($iconPath)) {
             return '';
         }
 

composer.json

@@ -19,6 +19,7 @@
         "ext-zip": "*",
         "bacon/bacon-qr-code": "^3.0",
         "dompdf/dompdf": "^3.1",
+        "ezyang/htmlpurifier": "^4.19",
         "guzzlehttp/guzzle": "^7.4",
         "intervention/image": "^3.5",
         "knplabs/knp-snappy": "^1.5",
@@ -38,7 +39,8 @@
         "socialiteproviders/microsoft-azure": "^5.1",
         "socialiteproviders/okta": "^4.2",
         "socialiteproviders/twitch": "^5.3",
-        "ssddanbrown/htmldiff": "^2.0.0"
+        "ssddanbrown/htmldiff": "^2.0.0",
+        "xemlock/htmlpurifier-html5": "^0.1.12"
     },
     "require-dev": {
         "fakerphp/faker": "^1.21",

dev/docs/logical-theme-system.md

@@ -99,6 +99,41 @@ Theme::listen(ThemeEvents::APP_BOOT, function($app) {
 });
 ```
 
+## Custom View Registration Example
+
+Using the logical theme system, you can register custom views to be rendered before/after other existing views, providing a flexible way to add content without needing to override and/or replicate existing content. This is done by listening to the `THEME_REGISTER_VIEWS`.
+
+**Note:** You don't need to use this to override existing views, or register whole new main views to use, since that's done automatically based on their existence. This is just for advanced capabilities like inserting before/after existing views.
+
+This event provides a `ThemeViews` instance which has the following methods made available:
+
+- `renderBefore(string $targetView, string $localView, int $priority)`
+- `renderAfter(string $targetView, string $localView, int $priority)`
+
+The target view is the name of that which we want to insert our custom view relative to.
+The local view is the name of the view we want to add and render.
+The priority provides a suggestion to the ordering of view display, with lower numbers being shown first. This defaults to 50 if not provided.
+
+Here's an example of this in use:
+
+```php
+<?php
+
+use BookStack\Facades\Theme;
+use BookStack\Theming\ThemeEvents;
+use BookStack\Theming\ThemeViews;
+
+Theme::listen(ThemeEvents::THEME_REGISTER_VIEWS, function (ThemeViews $themeViews) {
+    $themeViews->renderBefore('layouts.parts.header', 'welcome-banner', 4);
+    $themeViews->renderAfter('layouts.parts.header', 'information-alert');
+    $themeViews->renderAfter('layouts.parts.header', 'additions.password-notice', 20);
+});
+```
+
+In this example, we're inserting custom views before and after the main header bar.
+BookStack will look for a `welcome-banner.blade.php` file within our theme folder (or a theme module view folder) to render before the header. It'll look for the `information-alert.blade.php` and `additions/password-notice.blade.php` views to render afterwards.
+The password notice will be shown above the information alert view, since it has a specified priority of 20, whereas the information alert view would default to a priority of 50.
+
 ## Custom Command Registration Example
 
 The logical theme system supports adding custom [artisan commands](https://laravel.com/docs/8.x/artisan) to BookStack.

dev/docs/theme-system-modules.md

@@ -0,0 +1,72 @@
+# Theme System Modules
+
+A theme system module is a collection of customizations using the [visual](visual-theme-system.md) and [logical](logical-theme-system.md) theme systems, provided along with some metadata, that can be installed alongside other modules within a theme. They can effectively be thought of as "plugins" or "extensions" that can be applied in addition to any customizations in the active theme.
+
+### Module Location
+
+Modules are contained within a folder themselves, which should be located inside a `modules` folder within a [BookStack theme folder](visual-theme-system.md#getting-started). 
+As an example, starting from the `themes/` top-level folder of a BookStack instance:
+
+```txt
+themes
+└── my-theme
+    └── modules
+        ├── module-a
+        │   └── bookstack-module.json
+        └── module-b
+            └── bookstack-module.json
+```
+
+### Module Format
+
+A module exists as a folder in the location [as detailed above](#module-location).
+The content within the module folder should then follow this format:
+
+- `bookstack-module.json` - REQUIRED - A JSON file containing [the metadata](#module-json-metadata) for the module.
+- `functions.php` - OPTIONAL - A PHP file containing code for the [logical theme system](logical-theme-system.md).
+- `head/` - OPTIONAL - A folder containing HTML files which will be included into the HTML head of app-views.
+- `icons/` - OPTIONAL - A folder containing any icons to use as per [the visual theme system](visual-theme-system.md#customizing-icons).
+- `lang/` - OPTIONAL - A folder containing any language files to use as per [the visual theme system](visual-theme-system.md#customizing-text-content).
+- `public/` - OPTIONAL - A folder containing any files to expose into public web-space as per [the visual theme system](visual-theme-system.md#publicly-accessible-files).
+- `views/` - OPTIONAL - A folder containing any view additions or overrides as per [the visual theme system](visual-theme-system.md#customizing-view-files).
+
+You can create additional directories/files for your own needs within the module, but ideally name them something unique to prevent conflicts with the above structure.
+
+### Module JSON Metadata
+
+Modules are required to have a `bookstack-module.json` file in the top level directory of the module.
+This must be a JSON file with the following properties:
+
+- `name` - string - An (ideally unique) name for the module.
+- `description` - string - A short description of the module.
+- `version` - string - A string version number generally following [semantic versioning](https://semver.org/).
+  - Examples: `v0.4.0`, `4.3.12`,  `v0.1.0-beta4`.
+
+### Customization Order/Precedence
+
+It's possible that multiple modules may override/customize the same content.
+Right now, there's no assurance in regard to the order in which modules may be loaded.
+Generally they will be used/searched in order of their module folder name, but this is not assured and should not be relied upon.
+
+It's also possible that modules customize the same content as the configured theme.
+In this scenario, the theme takes precedence. Modules are designed to be more portable and instance abstract, whereas the theme folder would typically be specific to the instance. 
+This allows the theme to be used to customize or override module content for the BookStack instance, without altering the module code itself.
+
+### Module Best Practices
+
+Here are some general best practices when it comes to creating modules:
+
+- Use a unique name and clear description so the user can understand the purpose of the module.
+- Increment the metadata version on change, keeping to [semver](https://semver.org/) to indicate compatibility of new versions.
+- Where possible, prefer to [insert views before/after](logical-theme-system.md#custom-view-registration-example) instead of overriding existing views, to reduce likelihood of conflicts or update troubles.
+- When using/registering custom views, use some level of unique namespacing within the view path to prevent potential conflicts with other customizations.
+  - For example, I may store a view within my module as `views/my-module-name-welcome.blade.php`, to be registered as 'my-module-name-welcome'.
+  - This is important since views may be resolved from other modules or the active theme, which may/will override your module level view.
+
+### Distribution Format
+
+Modules are expected to be distributed as a compressed ZIP file, where the ZIP contents follow that of a module folder.
+BookStack provides a `php artisan bookstack:install-module` command which allows modules to be installed from these ZIP files, either from a local path or from a web URL.
+Currently, there's a hardcoded total filesize limit of 50MB for module contents installed via this method.
+
+There is not yet any direct update mechanism for modules, although this is something we may introduce in the future.

dev/docs/visual-theme-system.md

@@ -4,7 +4,7 @@ BookStack allows visual customization via the theme system which enables you to
 
 This is part of the theme system alongside the [logical theme system](./logical-theme-system.md).
 
-**Note:** This theme system itself is maintained and supported but usages of this system, including the files you are able to override, are not considered stable and may change upon any update. You should test any customizations made after updates.
+**Note:** This theme system itself is maintained and supported, but usages of this system, including the files you are able to override, are not considered stable and may change upon any update. You should test any customizations made after updates.
 
 ## Getting Started
 
@@ -18,6 +18,9 @@ You'll need to tell BookStack to use your theme via the `APP_THEME` option in yo
 Content placed in your `themes/<theme_name>/` folder will override the original view files found in the `resources/views` folder. These files are typically [Laravel Blade](https://laravel.com/docs/10.x/blade) files.
 As an example, I could override the `resources/views/books/parts/list-item.blade.php` file with my own template at the path `themes/<theme_name>/books/parts/list-item.blade.php`. 
 
+In addition to overriding original views, this could be used to add new views for use via the [logical theme system](logical-theme-system.md).
+By using the `THEME_REGISTER_VIEWS` logical event, you can also register your views to be rendered before/after existing views. An example of this can be found in our [logical theme guidance](logical-theme-system.md#custom-view-registration-example).
+
 ## Customizing Icons
 
 SVG files placed in a `themes/<theme_name>/icons` folder will override any icons of the same name within `resources/icons`. You'd typically want to follow the format convention of the existing icons, where no XML deceleration is included and no width & height attributes are set, to ensure optimal compatibility. 
@@ -50,7 +53,7 @@ configured application theme.
 
 There are some considerations to these publicly served files:
 
-- Only a predetermined range "web safe" content-types are currently served.
+- Only a predetermined range of "web safe" content-types are currently served.
   - This limits running into potential insecure scenarios in serving problematic file types.
 - A static 1-day cache time it set on files served from this folder.
   - You can use alternative cache-breaking techniques (change of query string) upon changes if needed. 

dev/licensing/php-library-licenses.txt

@@ -98,6 +98,13 @@ Copyright: Copyright (c) 2013-2023 Eduardo Gulias Davis
 Source: https://github.com/egulias/EmailValidator.git
 Link: https://github.com/egulias/EmailValidator
 -----------
+ezyang/htmlpurifier
+License: LGPL-2.1-or-later
+License File: vendor/ezyang/htmlpurifier/LICENSE
+Copyright: Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+Source: https://github.com/ezyang/htmlpurifier.git
+Link: http://htmlpurifier.org/
+-----------
 firebase/php-jwt
 License: BSD-3-Clause
 License File: vendor/firebase/php-jwt/LICENSE
@@ -465,7 +472,7 @@ Link: https://github.com/php-fig/simple-cache.git
 psy/psysh
 License: MIT
 License File: vendor/psy/psysh/LICENSE
-Copyright: Copyright (c) 2012-2025 Justin Hileman
+Copyright: Copyright (c) 2012-2026 Justin Hileman
 Source: https://github.com/bobthecow/psysh.git
 Link: https://psysh.org
 -----------
@@ -787,3 +794,10 @@ License File: vendor/voku/portable-ascii/LICENSE.txt
 Copyright: Copyright (C) 2019 Lars Moelleken
 Source: https://github.com/voku/portable-ascii.git
 Link: https://github.com/voku/portable-ascii
+-----------
+xemlock/htmlpurifier-html5
+License: MIT
+License File: vendor/xemlock/htmlpurifier-html5/LICENSE
+Copyright: Copyright (c) 2015 Xemlock
+Source: https://github.com/xemlock/htmlpurifier-html5.git
+Link: https://github.com/xemlock/htmlpurifier-html5

lang/en/settings.php

@@ -104,7 +104,7 @@ return [
     'sort_rule_op_chapters_first' => 'Chapters First',
     'sort_rule_op_chapters_last' => 'Chapters Last',
     'sorting_page_limits' => 'Per-Page Display Limits',
-    'sorting_page_limits_desc' => 'Set how many items to show per-page in various lists within the system. Typically a lower amount will be more performant, while a higher amount avoids the need to click through multiple pages. Using an even multiple of 3 (18, 24, 30, etc...) is recommended.',
+    'sorting_page_limits_desc' => 'Set how many items to show per-page in various lists within the system. Typically a lower amount will be more performant, while a higher amount avoids the need to click through multiple pages. Using a multiple of 6 is recommended.',
 
     // Maintenance settings
     'maint' => 'Maintenance',
@@ -263,6 +263,11 @@ return [
     'users_mfa_desc' => 'Setup multi-factor authentication as an extra layer of security for your user account.',
     'users_mfa_x_methods' => ':count method configured|:count methods configured',
     'users_mfa_configure' => 'Configure Methods',
+    'users_mfa_reset' => 'Reset 2FA',
+    'users_mfa_reset_desc' => 'Reset and clear all configured MFA methods for :userName. They will be prompted to reconfigure on next login.',
+    'users_mfa_reset_confirm' => 'Are you sure you want to reset 2FA for :userName?',
+    'users_mfa_reset_success' => '2FA has been reset for :userName',
+    'users_mfa_reset_error' => 'Failed to reset 2FA for :userName',
 
     // API Tokens
     'user_api_token_create' => 'Create API Token',

package.json

@@ -18,45 +18,45 @@
     "test": "jest"
   },
   "devDependencies": {
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^10.0.1",
     "@lezer/generator": "^1.8.0",
     "@types/markdown-it": "^14.1.2",
     "@types/sortablejs": "^1.15.9",
     "chokidar-cli": "^3.0",
-    "esbuild": "^0.27.0",
-    "eslint": "^9.39.1",
-    "eslint-plugin-import": "^2.32.0",
+    "esbuild": "^0.27.3",
+    "eslint": "^10.0.2",
+    "globals": "^17.4.0",
     "jest": "^30.2.0",
     "jest-environment-jsdom": "^30.2.0",
     "npm-run-all": "^4.1.5",
-    "sass": "^1.94.2",
-    "ts-jest": "^29.4.5",
+    "sass": "^1.97.3",
+    "ts-jest": "^29.4.6",
     "ts-node": "^10.9.2",
     "typescript": "5.9.*"
   },
   "dependencies": {
-    "@codemirror/commands": "^6.10.0",
+    "@codemirror/commands": "^6.10.2",
     "@codemirror/lang-css": "^6.3.1",
     "@codemirror/lang-html": "^6.4.11",
-    "@codemirror/lang-javascript": "^6.2.4",
+    "@codemirror/lang-javascript": "^6.2.5",
     "@codemirror/lang-json": "^6.0.2",
     "@codemirror/lang-markdown": "^6.5.0",
     "@codemirror/lang-php": "^6.0.2",
     "@codemirror/lang-xml": "^6.1.0",
-    "@codemirror/language": "^6.11.3",
+    "@codemirror/language": "^6.12.2",
     "@codemirror/legacy-modes": "^6.5.2",
-    "@codemirror/state": "^6.5.2",
+    "@codemirror/state": "^6.5.4",
     "@codemirror/theme-one-dark": "^6.1.3",
-    "@codemirror/view": "^6.38.8",
+    "@codemirror/view": "^6.39.16",
     "@lezer/highlight": "^1.2.3",
     "@ssddanbrown/codemirror-lang-smarty": "^1.0.0",
     "@ssddanbrown/codemirror-lang-twig": "^1.0.0",
     "@types/jest": "^30.0.0",
     "codemirror": "^6.0.2",
     "idb-keyval": "^6.2.2",
-    "markdown-it": "^14.1.0",
+    "markdown-it": "^14.1.1",
     "markdown-it-task-lists": "^2.1.1",
     "snabbdom": "^3.6.3",
-    "sortablejs": "^1.15.6"
+    "sortablejs": "^1.15.7"
   }
 }

phpunit.xml

@@ -34,6 +34,7 @@
     <server name="AUTH_AUTO_INITIATE" value="false"/>
     <server name="DISABLE_EXTERNAL_SERVICES" value="true"/>
     <server name="ALLOW_UNTRUSTED_SERVER_FETCHING" value="false"/>
+    <server name="CONTENT_FILTERING" value="jhfa"/>
     <server name="ALLOW_CONTENT_SCRIPTS" value="false"/>
     <server name="AVATAR_URL" value=""/>
     <server name="LDAP_START_TLS" value="false"/>

readme.md

@@ -48,17 +48,13 @@ Big thanks to these companies for supporting the project.
 #### Gold Sponsor
 
 <table><tbody><tr>
-<td align="center"><a href="https://www.federated.computer/bookstack" target="_blank">
-    <img width="480" src="https://www.bookstackapp.com/images/sponsors/federated-computer.png" alt="Federated.computer">
-</a></td>
-</tr><tr>
 <td align="center"><a href="https://www.diagrams.net/" target="_blank">
     <img width="480" src="https://www.bookstackapp.com/images/sponsors/diagramsnet.png" alt="Diagrams.net">
 </a></td>
 </tr>
 <tr>
 <td align="center"><a href="https://www.onyx.app/?utm_source=bookstack" target="_blank">
-    <img width="420" src="https://www.bookstackapp.com/images/sponsors/onyx.png" alt="onyx.app">
+    <img width="400" src="https://www.bookstackapp.com/images/sponsors/onyx.png" alt="onyx.app">
 </a></td>
 </tr>
 </tbody></table>
@@ -81,26 +77,23 @@ Big thanks to these companies for supporting the project.
 </a></td>
 </tr>
 <tr>
-<td align="center" style="text-align: center"><a href="https://www.schroeck-consulting.de/" target="_blank">
-    <img width="200" src="https://www.bookstackapp.com/images/sponsors/schroeck-consulting.png" alt="Schroeck IT Consulting">
-</a></td>
 <td align="center"><a href="https://practinet.be/" target="_blank">
     <img width="240" src="https://www.bookstackapp.com/images/sponsors/practinet.png" alt="Practinet">
 </a></td>
-</tr>
-<tr>
 <td align="center"><a href="https://route4me.com/" target="_blank">
     <img width="240" src="https://www.bookstackapp.com/images/sponsors/route4me.png" alt="Route4Me - Route Optimizer and Route Planner Software">
 </a></td>
+</tr>
+<tr>
 <td align="center"><a href="https://phamos.eu" target="_blank">
     <img width="132" src="https://www.bookstackapp.com/images/sponsors/phamos.png" alt="phamos">
 </a></td>
-</tr>
-<tr>
 <td align="center"><a href="https://sitespeak.ai/bookstack" target="_blank">
     <img width="240" src="https://www.bookstackapp.com/images/sponsors/sitespeak.png" alt="SiteSpeakAI">
 </a></td>
-<td align="center"><a href="https://www.admin-intelligence.de/bookstack/" target="_blank">
+</tr>
+<tr>
+<td align="center" colspan="2"><a href="https://www.admin-intelligence.de/bookstack/" target="_blank">
     <img width="210" src="https://www.bookstackapp.com/images/sponsors/admin-intelligence.png" alt="Admin Intelligence">
 </a></td>
 </tr>
@@ -155,7 +148,7 @@ The website which contains the project docs & blog can be found in the [BookStac
 The BookStack source is provided under the [MIT License](https://github.com/BookStackApp/BookStack/blob/development/LICENSE). 
 
 The libraries used by, and included with, BookStack are provided under their own licenses and copyright.
-The licenses for many of our core dependencies can be found in the attribution list below but this is not an exhaustive list of all projects used within BookStack. 
+The licenses for many of our core dependencies can be found in the attribution list below, but this is not an exhaustive list of all projects used within BookStack. 
 
 ## 👪 Attribution
 
@@ -187,5 +180,6 @@ Note: This is not an exhaustive list of all libraries and projects that would be
 * [PHPStan](https://phpstan.org/) & [Larastan](https://github.com/nunomaduro/larastan) - _[MIT](https://github.com/phpstan/phpstan/blob/master/LICENSE) and [MIT](https://github.com/nunomaduro/larastan/blob/master/LICENSE.md)_
 * [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) - _[BSD 3-Clause](https://github.com/squizlabs/PHP_CodeSniffer/blob/master/licence.txt)_
 * [JakeArchibald/IDB-Keyval](https://github.com/jakearchibald/idb-keyval) - _[Apache-2.0](https://github.com/jakearchibald/idb-keyval/blob/main/LICENCE)_
+* [HTML Purifier](https://github.com/ezyang/htmlpurifier) and [htmlpurifier-html5](https://github.com/xemlock/htmlpurifier-html5) - _[LGPL-2.1](https://github.com/ezyang/htmlpurifier/blob/master/LICENSE) and [MIT](https://github.com/xemlock/htmlpurifier-html5/blob/master/LICENSE)_
 
-For a detailed breakdown of the JavaScript & PHP projects imported & used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 
+For a detailed breakdown of the JavaScript & PHP projects imported and used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 

resources/js/wysiwyg-tinymce/plugin-drawio.js

@@ -57,7 +57,7 @@ async function updateContent(pngData) {
             });
         } catch (err) {
             handleUploadError(err);
-            throw new Error(`Failed to save image with error: ${err}`);
+            throw new Error(`Failed to save image with error: ${err}`, {cause: err});
         }
         return;
     }
@@ -78,7 +78,7 @@ async function updateContent(pngData) {
     } catch (err) {
         pageEditor.dom.remove(wrapId);
         handleUploadError(err);
-        throw new Error(`Failed to save image with error: ${err}`);
+        throw new Error(`Failed to save image with error: ${err}`, {cause: err});
     }
 }
 

resources/sass/_editor.scss

@@ -451,6 +451,9 @@ body.editor-is-fullscreen {
   outline: 1px dashed var(--editor-color-primary);
   outline-offset: 1px;
 }
+.editor-content-area  [drawio-diagram] {
+  cursor: pointer;
+}
 
 .editor-table-marker {
   position: fixed;

resources/sass/_forms.scss

@@ -142,6 +142,9 @@
     padding-inline-end: 12px;
     max-width: 864px;
   }
+  [drawio-diagram] {
+    cursor: pointer;
+  }
   [drawio-diagram]:hover {
     outline: 2px solid var(--color-primary);
   }

resources/sass/_mixins.scss

@@ -35,9 +35,17 @@
 
 // Define a property for both light and dark mode
 @mixin lightDark($prop, $light, $dark, $important: false) {
-  #{$prop}: if($important, $light !important, $light);
+  @if($important) {
+    #{$prop}: $light !important;
+  } @else {
+    #{$prop}: $light;
+  }
   html.dark-mode & {
-    #{$prop}: if($important, $dark !important, $dark);
+    @if($important) {
+      #{$prop}: $dark !important;
+    } @else {
+      #{$prop}: $dark;
+    }
   }
 }
 

resources/sass/_tinymce.scss

@@ -202,4 +202,11 @@ body.page-content.mce-content-body  {
   background-image: url('data:image/svg+xml;utf8,<svg fill="%23FFFFFF" version="1.1" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path d="m8.4856 20.274-6.736-6.736 2.9287-2.7823 3.8073 3.8073 10.836-10.836 2.9287 2.9287z" stroke-width="1.4644"/></svg>');
   background-position: 50% 50%;
   background-size: 100% 100%;
-}
+}
+
+/**
+ * Ensure cursor indicates that drawings are clickable
+ */
+.page-content.mce-content-body [drawio-diagram] {
+  cursor: pointer;
+}

resources/views/books/index.blade.php

@@ -5,58 +5,11 @@
 @stop
 
 @section('left')
-    @if($recents)
-        <div id="recents" class="mb-xl">
-            <h5>{{ trans('entities.recently_viewed') }}</h5>
-            @include('entities.list', ['entities' => $recents, 'style' => 'compact'])
-        </div>
-    @endif
-
-    <div id="popular" class="mb-xl">
-        <h5>{{ trans('entities.books_popular') }}</h5>
-        @if(count($popular) > 0)
-            @include('entities.list', ['entities' => $popular, 'style' => 'compact'])
-        @else
-            <p class="text-muted pb-l mb-none">{{ trans('entities.books_popular_empty') }}</p>
-        @endif
-    </div>
-
-    <div id="new" class="mb-xl">
-        <h5>{{ trans('entities.books_new') }}</h5>
-        @if(count($new) > 0)
-            @include('entities.list', ['entities' => $new, 'style' => 'compact'])
-        @else
-            <p class="text-muted pb-l mb-none">{{ trans('entities.books_new_empty') }}</p>
-        @endif
-    </div>
+    @include('books.parts.index-sidebar-section-recents', ['recents' => $recents])
+    @include('books.parts.index-sidebar-section-popular', ['popular' => $popular])
+    @include('books.parts.index-sidebar-section-new', ['new' => $new])
 @stop
 
 @section('right')
-
-    <div class="actions mb-xl">
-        <h5>{{ trans('common.actions') }}</h5>
-        <div class="icon-list text-link">
-            @if(userCan(\BookStack\Permissions\Permission::BookCreateAll))
-                <a href="{{ url("/create-book") }}" data-shortcut="new" class="icon-list-item">
-                    <span>@icon('add')</span>
-                    <span>{{ trans('entities.books_create') }}</span>
-                </a>
-            @endif
-
-            @include('entities.view-toggle', ['view' => $view, 'type' => 'books'])
-
-            <a href="{{ url('/tags') }}" class="icon-list-item">
-                <span>@icon('tag')</span>
-                <span>{{ trans('entities.tags_view_tags') }}</span>
-            </a>
-
-            @if(userCan(\BookStack\Permissions\Permission::ContentImport))
-                <a href="{{ url('/import') }}" class="icon-list-item">
-                    <span>@icon('upload')</span>
-                    <span>{{ trans('entities.import') }}</span>
-                </a>
-            @endif
-        </div>
-    </div>
-
+    @include('books.parts.index-sidebar-section-actions', ['view' => $view])
 @stop

resources/views/books/parts/index-sidebar-section-actions.blade.php

@@ -0,0 +1,25 @@
+<div id="actions" class="actions mb-xl">
+    <h5>{{ trans('common.actions') }}</h5>
+    <div class="icon-list text-link">
+        @if(userCan(\BookStack\Permissions\Permission::BookCreateAll))
+            <a href="{{ url("/create-book") }}" data-shortcut="new" class="icon-list-item">
+                <span>@icon('add')</span>
+                <span>{{ trans('entities.books_create') }}</span>
+            </a>
+        @endif
+
+        @include('entities.view-toggle', ['view' => $view, 'type' => 'books'])
+
+        <a href="{{ url('/tags') }}" class="icon-list-item">
+            <span>@icon('tag')</span>
+            <span>{{ trans('entities.tags_view_tags') }}</span>
+        </a>
+
+        @if(userCan(\BookStack\Permissions\Permission::ContentImport))
+            <a href="{{ url('/import') }}" class="icon-list-item">
+                <span>@icon('upload')</span>
+                <span>{{ trans('entities.import') }}</span>
+            </a>
+        @endif
+    </div>
+</div>

resources/views/books/parts/index-sidebar-section-new.blade.php

@@ -0,0 +1,8 @@
+<div id="new" class="mb-xl">
+    <h5>{{ trans('entities.books_new') }}</h5>
+    @if(count($new) > 0)
+        @include('entities.list', ['entities' => $new, 'style' => 'compact'])
+    @else
+        <p class="text-muted pb-l mb-none">{{ trans('entities.books_new_empty') }}</p>
+    @endif
+</div>

resources/views/books/parts/index-sidebar-section-popular.blade.php

@@ -0,0 +1,8 @@
+<div id="popular" class="mb-xl">
+    <h5>{{ trans('entities.books_popular') }}</h5>
+    @if(count($popular) > 0)
+        @include('entities.list', ['entities' => $popular, 'style' => 'compact'])
+    @else
+        <p class="text-muted pb-l mb-none">{{ trans('entities.books_popular_empty') }}</p>
+    @endif
+</div>

resources/views/books/parts/index-sidebar-section-recents.blade.php

@@ -0,0 +1,6 @@
+@if($recents)
+    <div id="recents" class="mb-xl">
+        <h5>{{ trans('entities.recently_viewed') }}</h5>
+        @include('entities.list', ['entities' => $recents, 'style' => 'compact'])
+    </div>
+@endif

resources/views/books/parts/show-sidebar-section-actions.blade.php

@@ -0,0 +1,61 @@
+<div class="actions mb-xl">
+    <h5>{{ trans('common.actions') }}</h5>
+    <div class="icon-list text-link">
+
+        @if(userCan(\BookStack\Permissions\Permission::PageCreate, $book))
+            <a href="{{ $book->getUrl('/create-page') }}" data-shortcut="new" class="icon-list-item">
+                <span>@icon('add')</span>
+                <span>{{ trans('entities.pages_new') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::ChapterCreate, $book))
+            <a href="{{ $book->getUrl('/create-chapter') }}" data-shortcut="new" class="icon-list-item">
+                <span>@icon('add')</span>
+                <span>{{ trans('entities.chapters_new') }}</span>
+            </a>
+        @endif
+
+        <hr class="primary-background">
+
+        @if(userCan(\BookStack\Permissions\Permission::BookUpdate, $book))
+            <a href="{{ $book->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
+                <span>@icon('edit')</span>
+                <span>{{ trans('common.edit') }}</span>
+            </a>
+            <a href="{{ $book->getUrl('/sort') }}" data-shortcut="sort" class="icon-list-item">
+                <span>@icon('sort')</span>
+                <span>{{ trans('common.sort') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::BookCreateAll))
+            <a href="{{ $book->getUrl('/copy') }}" data-shortcut="copy" class="icon-list-item">
+                <span>@icon('copy')</span>
+                <span>{{ trans('common.copy') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
+            <a href="{{ $book->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
+                <span>@icon('lock')</span>
+                <span>{{ trans('entities.permissions') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::BookDelete, $book))
+            <a href="{{ $book->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
+                <span>@icon('delete')</span>
+                <span>{{ trans('common.delete') }}</span>
+            </a>
+        @endif
+
+        <hr class="primary-background">
+
+        @if($watchOptions->canWatch() && !$watchOptions->isWatching())
+            @include('entities.watch-action', ['entity' => $book])
+        @endif
+        @if(!user()->isGuest())
+            @include('entities.favourite-action', ['entity' => $book])
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::ContentExport))
+            @include('entities.export-menu', ['entity' => $book])
+        @endif
+    </div>
+</div>

resources/views/books/parts/show-sidebar-section-activity.blade.php

@@ -0,0 +1,6 @@
+@if(count($activity) > 0)
+    <div id="recent-activity" class="mb-xl">
+        <h5>{{ trans('entities.recent_activity') }}</h5>
+        @include('common.activity-list', ['activity' => $activity])
+    </div>
+@endif

resources/views/books/parts/show-sidebar-section-details.blade.php

@@ -0,0 +1,21 @@
+<div class="mb-xl">
+    <h5>{{ trans('common.details') }}</h5>
+    <div class="blended-links">
+        @include('entities.meta', ['entity' => $book, 'watchOptions' => $watchOptions])
+        @if($book->hasPermissions())
+            <div class="active-restriction">
+                @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
+                    <a href="{{ $book->getUrl('/permissions') }}" class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.books_permissions_active') }}</div>
+                    </a>
+                @else
+                    <div class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.books_permissions_active') }}</div>
+                    </div>
+                @endif
+            </div>
+        @endif
+    </div>
+</div>

resources/views/books/parts/show-sidebar-section-shelves.blade.php

@@ -0,0 +1,6 @@
+@if(count($bookParentShelves) > 0)
+    <div class="actions mb-xl">
+        <h5>{{ trans('entities.shelves') }}</h5>
+        @include('entities.list', ['entities' => $bookParentShelves, 'style' => 'compact'])
+    </div>
+@endif

resources/views/books/parts/show-sidebar-section-tags.blade.php

@@ -0,0 +1,5 @@
+@if($book->tags->count() > 0)
+    <div class="mb-xl">
+        @include('entities.tag-list', ['entity' => $book])
+    </div>
+@endif

resources/views/books/show.blade.php

@@ -67,114 +67,14 @@
 @stop
 
 @section('right')
-    <div class="mb-xl">
-        <h5>{{ trans('common.details') }}</h5>
-        <div class="blended-links">
-            @include('entities.meta', ['entity' => $book, 'watchOptions' => $watchOptions])
-            @if($book->hasPermissions())
-                <div class="active-restriction">
-                    @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
-                        <a href="{{ $book->getUrl('/permissions') }}" class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.books_permissions_active') }}</div>
-                        </a>
-                    @else
-                        <div class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.books_permissions_active') }}</div>
-                        </div>
-                    @endif
-                </div>
-            @endif
-        </div>
-    </div>
-
-    <div class="actions mb-xl">
-        <h5>{{ trans('common.actions') }}</h5>
-        <div class="icon-list text-link">
-
-            @if(userCan(\BookStack\Permissions\Permission::PageCreate, $book))
-                <a href="{{ $book->getUrl('/create-page') }}" data-shortcut="new" class="icon-list-item">
-                    <span>@icon('add')</span>
-                    <span>{{ trans('entities.pages_new') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::ChapterCreate, $book))
-                <a href="{{ $book->getUrl('/create-chapter') }}" data-shortcut="new" class="icon-list-item">
-                    <span>@icon('add')</span>
-                    <span>{{ trans('entities.chapters_new') }}</span>
-                </a>
-            @endif
-
-            <hr class="primary-background">
-
-            @if(userCan(\BookStack\Permissions\Permission::BookUpdate, $book))
-                <a href="{{ $book->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
-                    <span>@icon('edit')</span>
-                    <span>{{ trans('common.edit') }}</span>
-                </a>
-                <a href="{{ $book->getUrl('/sort') }}" data-shortcut="sort" class="icon-list-item">
-                    <span>@icon('sort')</span>
-                    <span>{{ trans('common.sort') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::BookCreateAll))
-                <a href="{{ $book->getUrl('/copy') }}" data-shortcut="copy" class="icon-list-item">
-                    <span>@icon('copy')</span>
-                    <span>{{ trans('common.copy') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
-                <a href="{{ $book->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
-                    <span>@icon('lock')</span>
-                    <span>{{ trans('entities.permissions') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::BookDelete, $book))
-                <a href="{{ $book->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
-                    <span>@icon('delete')</span>
-                    <span>{{ trans('common.delete') }}</span>
-                </a>
-            @endif
-
-            <hr class="primary-background">
-
-            @if($watchOptions->canWatch() && !$watchOptions->isWatching())
-                @include('entities.watch-action', ['entity' => $book])
-            @endif
-            @if(!user()->isGuest())
-                @include('entities.favourite-action', ['entity' => $book])
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::ContentExport))
-                @include('entities.export-menu', ['entity' => $book])
-            @endif
-        </div>
-    </div>
-
+    @include('books.parts.show-sidebar-section-details', ['book' => $book, 'watchOptions' => $watchOptions])
+    @include('books.parts.show-sidebar-section-actions', ['book' => $book, 'watchOptions' => $watchOptions])
 @stop
 
 @section('left')
-
     @include('entities.search-form', ['label' => trans('entities.books_search_this')])
-
-    @if($book->tags->count() > 0)
-        <div class="mb-xl">
-            @include('entities.tag-list', ['entity' => $book])
-        </div>
-    @endif
-
-    @if(count($bookParentShelves) > 0)
-        <div class="actions mb-xl">
-            <h5>{{ trans('entities.shelves') }}</h5>
-            @include('entities.list', ['entities' => $bookParentShelves, 'style' => 'compact'])
-        </div>
-    @endif
-
-    @if(count($activity) > 0)
-        <div id="recent-activity" class="mb-xl">
-            <h5>{{ trans('entities.recent_activity') }}</h5>
-            @include('common.activity-list', ['activity' => $activity])
-        </div>
-    @endif
+    @include('books.parts.show-sidebar-section-tags', ['book' => $book])
+    @include('books.parts.show-sidebar-section-shelves', ['bookParentShelves' => $bookParentShelves])
+    @include('books.parts.show-sidebar-section-activity', ['activity' => $activity])
 @stop
 

resources/views/chapters/parts/show-sidebar-section-actions.blade.php

@@ -0,0 +1,65 @@
+<div class="actions mb-xl">
+    <h5>{{ trans('common.actions') }}</h5>
+    <div class="icon-list text-link">
+
+        @if(userCan(\BookStack\Permissions\Permission::PageCreate, $chapter))
+            <a href="{{ $chapter->getUrl('/create-page') }}" data-shortcut="new" class="icon-list-item">
+                <span>@icon('add')</span>
+                <span>{{ trans('entities.pages_new') }}</span>
+            </a>
+        @endif
+
+        <hr class="primary-background"/>
+
+        @if(userCan(\BookStack\Permissions\Permission::ChapterUpdate, $chapter))
+            <a href="{{ $chapter->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
+                <span>@icon('edit')</span>
+                <span>{{ trans('common.edit') }}</span>
+            </a>
+        @endif
+        @if(userCanOnAny(\BookStack\Permissions\Permission::Create, \BookStack\Entities\Models\Book::class) || userCan(\BookStack\Permissions\Permission::ChapterCreateAll) || userCan(\BookStack\Permissions\Permission::ChapterCreateOwn))
+            <a href="{{ $chapter->getUrl('/copy') }}" data-shortcut="copy" class="icon-list-item">
+                <span>@icon('copy')</span>
+                <span>{{ trans('common.copy') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::ChapterUpdate, $chapter) && userCan(\BookStack\Permissions\Permission::ChapterDelete, $chapter))
+            <a href="{{ $chapter->getUrl('/move') }}" data-shortcut="move" class="icon-list-item">
+                <span>@icon('folder')</span>
+                <span>{{ trans('common.move') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $chapter))
+            <a href="{{ $chapter->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
+                <span>@icon('lock')</span>
+                <span>{{ trans('entities.permissions') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::ChapterDelete, $chapter))
+            <a href="{{ $chapter->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
+                <span>@icon('delete')</span>
+                <span>{{ trans('common.delete') }}</span>
+            </a>
+        @endif
+
+        @if($chapter->book && userCan(\BookStack\Permissions\Permission::BookUpdate, $chapter->book))
+            <hr class="primary-background"/>
+            <a href="{{ $chapter->book->getUrl('/sort') }}" data-shortcut="sort" class="icon-list-item">
+                <span>@icon('sort')</span>
+                <span>{{ trans('entities.chapter_sort_book') }}</span>
+            </a>
+        @endif
+
+        <hr class="primary-background"/>
+
+        @if($watchOptions->canWatch() && !$watchOptions->isWatching())
+            @include('entities.watch-action', ['entity' => $chapter])
+        @endif
+        @if(!user()->isGuest())
+            @include('entities.favourite-action', ['entity' => $chapter])
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::ContentExport))
+            @include('entities.export-menu', ['entity' => $chapter])
+        @endif
+    </div>
+</div>

resources/views/chapters/parts/show-sidebar-section-details.blade.php

@@ -0,0 +1,38 @@
+<div class="mb-xl">
+    <h5>{{ trans('common.details') }}</h5>
+    <div class="blended-links">
+        @include('entities.meta', ['entity' => $chapter, 'watchOptions' => $watchOptions])
+
+        @if($book->hasPermissions())
+            <div class="active-restriction">
+                @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
+                    <a href="{{ $book->getUrl('/permissions') }}" class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.books_permissions_active') }}</div>
+                    </a>
+                @else
+                    <div class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.books_permissions_active') }}</div>
+                    </div>
+                @endif
+            </div>
+        @endif
+
+        @if($chapter->hasPermissions())
+            <div class="active-restriction">
+                @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $chapter))
+                    <a href="{{ $chapter->getUrl('/permissions') }}" class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.chapters_permissions_active') }}</div>
+                    </a>
+                @else
+                    <div class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.chapters_permissions_active') }}</div>
+                    </div>
+                @endif
+            </div>
+        @endif
+    </div>
+</div>

resources/views/chapters/parts/show-sidebar-section-tags.blade.php

@@ -0,0 +1,5 @@
+@if($chapter->tags->count() > 0)
+    <div class="mb-xl">
+        @include('entities.tag-list', ['entity' => $chapter])
+    </div>
+@endif

resources/views/chapters/show.blade.php

@@ -63,123 +63,13 @@
 @stop
 
 @section('right')
-
-    <div class="mb-xl">
-        <h5>{{ trans('common.details') }}</h5>
-        <div class="blended-links">
-            @include('entities.meta', ['entity' => $chapter, 'watchOptions' => $watchOptions])
-
-            @if($book->hasPermissions())
-                <div class="active-restriction">
-                    @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
-                        <a href="{{ $book->getUrl('/permissions') }}" class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.books_permissions_active') }}</div>
-                        </a>
-                    @else
-                        <div class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.books_permissions_active') }}</div>
-                        </div>
-                    @endif
-                </div>
-            @endif
-
-            @if($chapter->hasPermissions())
-                <div class="active-restriction">
-                    @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $chapter))
-                        <a href="{{ $chapter->getUrl('/permissions') }}" class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.chapters_permissions_active') }}</div>
-                        </a>
-                    @else
-                        <div class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.chapters_permissions_active') }}</div>
-                        </div>
-                    @endif
-                </div>
-            @endif
-        </div>
-    </div>
-
-    <div class="actions mb-xl">
-        <h5>{{ trans('common.actions') }}</h5>
-        <div class="icon-list text-link">
-
-            @if(userCan(\BookStack\Permissions\Permission::PageCreate, $chapter))
-                <a href="{{ $chapter->getUrl('/create-page') }}" data-shortcut="new" class="icon-list-item">
-                    <span>@icon('add')</span>
-                    <span>{{ trans('entities.pages_new') }}</span>
-                </a>
-            @endif
-
-            <hr class="primary-background"/>
-
-            @if(userCan(\BookStack\Permissions\Permission::ChapterUpdate, $chapter))
-                <a href="{{ $chapter->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
-                    <span>@icon('edit')</span>
-                    <span>{{ trans('common.edit') }}</span>
-                </a>
-            @endif
-            @if(userCanOnAny(\BookStack\Permissions\Permission::Create, \BookStack\Entities\Models\Book::class) || userCan(\BookStack\Permissions\Permission::ChapterCreateAll) || userCan(\BookStack\Permissions\Permission::ChapterCreateOwn))
-                <a href="{{ $chapter->getUrl('/copy') }}" data-shortcut="copy" class="icon-list-item">
-                    <span>@icon('copy')</span>
-                    <span>{{ trans('common.copy') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::ChapterUpdate, $chapter) && userCan(\BookStack\Permissions\Permission::ChapterDelete, $chapter))
-                <a href="{{ $chapter->getUrl('/move') }}" data-shortcut="move" class="icon-list-item">
-                    <span>@icon('folder')</span>
-                    <span>{{ trans('common.move') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $chapter))
-                <a href="{{ $chapter->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
-                    <span>@icon('lock')</span>
-                    <span>{{ trans('entities.permissions') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::ChapterDelete, $chapter))
-                <a href="{{ $chapter->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
-                    <span>@icon('delete')</span>
-                    <span>{{ trans('common.delete') }}</span>
-                </a>
-            @endif
-
-            @if($chapter->book && userCan(\BookStack\Permissions\Permission::BookUpdate, $chapter->book))
-                <hr class="primary-background"/>
-                <a href="{{ $chapter->book->getUrl('/sort') }}" data-shortcut="sort" class="icon-list-item">
-                    <span>@icon('sort')</span>
-                    <span>{{ trans('entities.chapter_sort_book') }}</span>
-                </a>
-            @endif
-
-            <hr class="primary-background"/>
-
-            @if($watchOptions->canWatch() && !$watchOptions->isWatching())
-                @include('entities.watch-action', ['entity' => $chapter])
-            @endif
-            @if(!user()->isGuest())
-                @include('entities.favourite-action', ['entity' => $chapter])
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::ContentExport))
-                @include('entities.export-menu', ['entity' => $chapter])
-            @endif
-        </div>
-    </div>
+    @include('chapters.parts.show-sidebar-section-details', ['chapter' => $chapter, 'book' => $book, 'watchOptions' => $watchOptions])
+    @include('chapters.parts.show-sidebar-section-actions', ['chapter' => $chapter, 'watchOptions' => $watchOptions])
 @stop
 
 @section('left')
-
     @include('entities.search-form', ['label' => trans('entities.chapters_search_this')])
-
-    @if($chapter->tags->count() > 0)
-        <div class="mb-xl">
-            @include('entities.tag-list', ['entity' => $chapter])
-        </div>
-    @endif
-
+    @include('chapters.parts.show-sidebar-section-tags', ['chapter' => $chapter])
     @include('entities.book-tree', ['book' => $book, 'sidebarTree' => $sidebarTree])
 @stop
 

resources/views/form/description-html-input.blade.php

@@ -1,7 +1,7 @@
 <textarea component="wysiwyg-input"
           option:wysiwyg-input:text-direction="{{ $locale->htmlDirection() }}"
           id="description_html" name="description_html" rows="5"
-          @if($errors->has('description_html')) class="text-neg" @endif>@if(isset($model) || old('description_html')){{ old('description_html') ?? $model->descriptionInfo()->getHtml() }}@endif</textarea>
+          @if($errors->has('description_html')) class="text-neg" @endif>@if(isset($model) || old('description_html')){{ old('description_html') ?? $model->descriptionInfo()->getHtml() }}@else{{ '<p></p>' }}@endif</textarea>
 @if($errors->has('description_html'))
     <div class="text-neg text-small">{{ $errors->first('description_html') }}</div>
 @endif

resources/views/layouts/parts/custom-head.blade.php

@@ -1,6 +1,6 @@
 @inject('headContent', 'BookStack\Theming\CustomHtmlHeadContentProvider')
 
-@if(setting('app-custom-head') && !request()->routeIs('settings.category'))
+@if(!request()->routeIs('settings.category'))
 <!-- Start: custom user content -->
 {!! $headContent->forWeb() !!}
 <!-- End: custom user content -->

resources/views/pages/parts/show-sidebar-section-actions.blade.php

@@ -0,0 +1,57 @@
+<div id="actions" class="actions mb-xl">
+    <h5>{{ trans('common.actions') }}</h5>
+
+    <div class="icon-list text-link">
+
+        {{--User Actions--}}
+        @if(userCan(\BookStack\Permissions\Permission::PageUpdate, $page))
+            <a href="{{ $page->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
+                <span>@icon('edit')</span>
+                <span>{{ trans('common.edit') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::PageCreateAll) || userCan(\BookStack\Permissions\Permission::PageCreateOwn) || userCanOnAny(\BookStack\Permissions\Permission::Create, \BookStack\Entities\Models\Book::class) || userCanOnAny(\BookStack\Permissions\Permission::Create, \BookStack\Entities\Models\Chapter::class))
+            <a href="{{ $page->getUrl('/copy') }}" data-shortcut="copy" class="icon-list-item">
+                <span>@icon('copy')</span>
+                <span>{{ trans('common.copy') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::PageUpdate, $page))
+            @if(userCan(\BookStack\Permissions\Permission::PageDelete, $page))
+                <a href="{{ $page->getUrl('/move') }}" data-shortcut="move" class="icon-list-item">
+                    <span>@icon('folder')</span>
+                    <span>{{ trans('common.move') }}</span>
+                </a>
+            @endif
+        @endif
+        <a href="{{ $page->getUrl('/revisions') }}" data-shortcut="revisions" class="icon-list-item">
+            <span>@icon('history')</span>
+            <span>{{ trans('entities.revisions') }}</span>
+        </a>
+        @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $page))
+            <a href="{{ $page->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
+                <span>@icon('lock')</span>
+                <span>{{ trans('entities.permissions') }}</span>
+            </a>
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::PageDelete, $page))
+            <a href="{{ $page->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
+                <span>@icon('delete')</span>
+                <span>{{ trans('common.delete') }}</span>
+            </a>
+        @endif
+
+        <hr class="primary-background"/>
+
+        @if($watchOptions->canWatch() && !$watchOptions->isWatching())
+            @include('entities.watch-action', ['entity' => $page])
+        @endif
+        @if(!user()->isGuest())
+            @include('entities.favourite-action', ['entity' => $page])
+        @endif
+        @if(userCan(\BookStack\Permissions\Permission::ContentExport))
+            @include('entities.export-menu', ['entity' => $page])
+        @endif
+    </div>
+
+</div>

resources/views/pages/parts/show-sidebar-section-attachments.blade.php

@@ -0,0 +1,8 @@
+@if($page->attachments->count() > 0)
+    <div id="page-attachments" class="mb-l">
+        <h5>{{ trans('entities.pages_attachments') }}</h5>
+        <div class="body">
+            @include('attachments.list', ['attachments' => $page->attachments])
+        </div>
+    </div>
+@endif

resources/views/pages/parts/show-sidebar-section-details.blade.php

@@ -0,0 +1,61 @@
+<div id="page-details" class="entity-details mb-xl">
+    <h5>{{ trans('common.details') }}</h5>
+    <div class="blended-links">
+        @include('entities.meta', ['entity' => $page, 'watchOptions' => $watchOptions])
+
+        @if($book->hasPermissions())
+            <div class="active-restriction">
+                @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
+                    <a href="{{ $book->getUrl('/permissions') }}" class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.books_permissions_active') }}</div>
+                    </a>
+                @else
+                    <div class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.books_permissions_active') }}</div>
+                    </div>
+                @endif
+            </div>
+        @endif
+
+        @if($page->chapter && $page->chapter->hasPermissions())
+            <div class="active-restriction">
+                @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $page->chapter))
+                    <a href="{{ $page->chapter->getUrl('/permissions') }}" class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.chapters_permissions_active') }}</div>
+                    </a>
+                @else
+                    <div class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.chapters_permissions_active') }}</div>
+                    </div>
+                @endif
+            </div>
+        @endif
+
+        @if($page->hasPermissions())
+            <div class="active-restriction">
+                @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $page))
+                    <a href="{{ $page->getUrl('/permissions') }}" class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.pages_permissions_active') }}</div>
+                    </a>
+                @else
+                    <div class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.pages_permissions_active') }}</div>
+                    </div>
+                @endif
+            </div>
+        @endif
+
+        @if($page->template)
+            <div class="entity-meta-item">
+                @icon('template')
+                <div>{{ trans('entities.pages_is_template') }}</div>
+            </div>
+        @endif
+    </div>
+</div>

resources/views/pages/parts/show-sidebar-section-page-nav.blade.php

@@ -0,0 +1,15 @@
+@if(isset($pageNav) && count($pageNav))
+    <nav id="page-navigation" class="mb-xl" aria-label="{{ trans('entities.pages_navigation') }}">
+        <h5>{{ trans('entities.pages_navigation') }}</h5>
+        <div class="body">
+            <div class="sidebar-page-nav menu">
+                @foreach($pageNav as $navItem)
+                    <li class="page-nav-item h{{ $navItem['level'] }}">
+                        <a href="{{ $navItem['link'] }}" class="text-limit-lines-1 block">{{ $navItem['text'] }}</a>
+                        <div class="link-background sidebar-page-nav-bullet"></div>
+                    </li>
+                @endforeach
+            </div>
+        </div>
+    </nav>
+@endif

resources/views/pages/parts/show-sidebar-section-tags.blade.php

@@ -0,0 +1,5 @@
+@if($page->tags->count() > 0)
+    <section>
+        @include('entities.tag-list', ['entity' => $page])
+    </section>
+@endif

resources/views/pages/show.blade.php

@@ -22,7 +22,7 @@
              class="page-content clearfix">
             @include('pages.parts.page-display')
         </div>
-        @include('pages.parts.pointer', ['page' => $page])
+        @include('pages.parts.pointer', ['page' => $page, 'commentTree' => $commentTree])
     </main>
 
     @include('entities.sibling-navigation', ['next' => $next, 'previous' => $previous])
@@ -36,159 +36,13 @@
 @stop
 
 @section('left')
-
-    @if($page->tags->count() > 0)
-        <section>
-            @include('entities.tag-list', ['entity' => $page])
-        </section>
-    @endif
-
-    @if ($page->attachments->count() > 0)
-        <div id="page-attachments" class="mb-l">
-            <h5>{{ trans('entities.pages_attachments') }}</h5>
-            <div class="body">
-                @include('attachments.list', ['attachments' => $page->attachments])
-            </div>
-        </div>
-    @endif
-
-    @if (isset($pageNav) && count($pageNav))
-        <nav id="page-navigation" class="mb-xl" aria-label="{{ trans('entities.pages_navigation') }}">
-            <h5>{{ trans('entities.pages_navigation') }}</h5>
-            <div class="body">
-                <div class="sidebar-page-nav menu">
-                    @foreach($pageNav as $navItem)
-                        <li class="page-nav-item h{{ $navItem['level'] }}">
-                            <a href="{{ $navItem['link'] }}" class="text-limit-lines-1 block">{{ $navItem['text'] }}</a>
-                            <div class="link-background sidebar-page-nav-bullet"></div>
-                        </li>
-                    @endforeach
-                </div>
-            </div>
-        </nav>
-    @endif
-
+    @include('pages.parts.show-sidebar-section-tags', ['page' => $page])
+    @include('pages.parts.show-sidebar-section-attachments', ['page' => $page])
+    @include('pages.parts.show-sidebar-section-page-nav', ['pageNav' => $pageNav])
     @include('entities.book-tree', ['book' => $book, 'sidebarTree' => $sidebarTree])
 @stop
 
 @section('right')
-    <div id="page-details" class="entity-details mb-xl">
-        <h5>{{ trans('common.details') }}</h5>
-        <div class="blended-links">
-            @include('entities.meta', ['entity' => $page, 'watchOptions' => $watchOptions])
-
-            @if($book->hasPermissions())
-                <div class="active-restriction">
-                    @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $book))
-                        <a href="{{ $book->getUrl('/permissions') }}" class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.books_permissions_active') }}</div>
-                        </a>
-                    @else
-                        <div class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.books_permissions_active') }}</div>
-                        </div>
-                    @endif
-                </div>
-            @endif
-
-            @if($page->chapter && $page->chapter->hasPermissions())
-                <div class="active-restriction">
-                    @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $page->chapter))
-                        <a href="{{ $page->chapter->getUrl('/permissions') }}" class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.chapters_permissions_active') }}</div>
-                        </a>
-                    @else
-                        <div class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.chapters_permissions_active') }}</div>
-                        </div>
-                    @endif
-                </div>
-            @endif
-
-            @if($page->hasPermissions())
-                <div class="active-restriction">
-                    @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $page))
-                        <a href="{{ $page->getUrl('/permissions') }}" class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.pages_permissions_active') }}</div>
-                        </a>
-                    @else
-                        <div class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.pages_permissions_active') }}</div>
-                        </div>
-                    @endif
-                </div>
-            @endif
-
-            @if($page->template)
-                <div class="entity-meta-item">
-                    @icon('template')
-                    <div>{{ trans('entities.pages_is_template') }}</div>
-                </div>
-            @endif
-        </div>
-    </div>
-
-    <div class="actions mb-xl">
-        <h5>{{ trans('common.actions') }}</h5>
-
-        <div class="icon-list text-link">
-
-            {{--User Actions--}}
-            @if(userCan(\BookStack\Permissions\Permission::PageUpdate, $page))
-                <a href="{{ $page->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
-                    <span>@icon('edit')</span>
-                    <span>{{ trans('common.edit') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::PageCreateAll) || userCan(\BookStack\Permissions\Permission::PageCreateOwn) || userCanOnAny(\BookStack\Permissions\Permission::Create, \BookStack\Entities\Models\Book::class) || userCanOnAny(\BookStack\Permissions\Permission::Create, \BookStack\Entities\Models\Chapter::class))
-                <a href="{{ $page->getUrl('/copy') }}" data-shortcut="copy" class="icon-list-item">
-                    <span>@icon('copy')</span>
-                    <span>{{ trans('common.copy') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::PageUpdate, $page))
-                @if(userCan(\BookStack\Permissions\Permission::PageDelete, $page))
-	                <a href="{{ $page->getUrl('/move') }}" data-shortcut="move" class="icon-list-item">
-	                    <span>@icon('folder')</span>
-	                    <span>{{ trans('common.move') }}</span>
-	                </a>
-                @endif
-            @endif
-            <a href="{{ $page->getUrl('/revisions') }}" data-shortcut="revisions" class="icon-list-item">
-                <span>@icon('history')</span>
-                <span>{{ trans('entities.revisions') }}</span>
-            </a>
-            @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $page))
-                <a href="{{ $page->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
-                    <span>@icon('lock')</span>
-                    <span>{{ trans('entities.permissions') }}</span>
-                </a>
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::PageDelete, $page))
-                <a href="{{ $page->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
-                    <span>@icon('delete')</span>
-                    <span>{{ trans('common.delete') }}</span>
-                </a>
-            @endif
-
-            <hr class="primary-background"/>
-
-            @if($watchOptions->canWatch() && !$watchOptions->isWatching())
-                @include('entities.watch-action', ['entity' => $page])
-            @endif
-            @if(!user()->isGuest())
-                @include('entities.favourite-action', ['entity' => $page])
-            @endif
-            @if(userCan(\BookStack\Permissions\Permission::ContentExport))
-                @include('entities.export-menu', ['entity' => $page])
-            @endif
-        </div>
-
-    </div>
+    @include('pages.parts.show-sidebar-section-details', ['page' => $page, 'watchOptions' => $watchOptions, 'book' => $book])
+    @include('pages.parts.show-sidebar-section-actions', ['page' => $page, 'watchOptions' => $watchOptions])
 @stop

resources/views/shelves/index.blade.php

@@ -5,51 +5,11 @@
 @stop
 
 @section('right')
-
-    <div class="actions mb-xl">
-        <h5>{{ trans('common.actions') }}</h5>
-        <div class="icon-list text-link">
-            @if(userCan(\BookStack\Permissions\Permission::BookshelfCreateAll))
-                <a href="{{ url("/create-shelf") }}" data-shortcut="new" class="icon-list-item">
-                    <span>@icon('add')</span>
-                    <span>{{ trans('entities.shelves_new_action') }}</span>
-                </a>
-            @endif
-
-            @include('entities.view-toggle', ['view' => $view, 'type' => 'bookshelves'])
-
-            <a href="{{ url('/tags') }}" class="icon-list-item">
-                <span>@icon('tag')</span>
-                <span>{{ trans('entities.tags_view_tags') }}</span>
-            </a>
-        </div>
-    </div>
-
+    @include('shelves.parts.index-sidebar-section-actions', ['view' => $view])
 @stop
 
 @section('left')
-    @if($recents)
-        <div id="recents" class="mb-xl">
-            <h5>{{ trans('entities.recently_viewed') }}</h5>
-            @include('entities.list', ['entities' => $recents, 'style' => 'compact'])
-        </div>
-    @endif
-
-    <div id="popular" class="mb-xl">
-        <h5>{{ trans('entities.shelves_popular') }}</h5>
-        @if(count($popular) > 0)
-            @include('entities.list', ['entities' => $popular, 'style' => 'compact'])
-        @else
-            <p class="text-muted pb-l mb-none">{{ trans('entities.shelves_popular_empty') }}</p>
-        @endif
-    </div>
-
-    <div id="new" class="mb-xl">
-        <h5>{{ trans('entities.shelves_new') }}</h5>
-        @if(count($new) > 0)
-            @include('entities.list', ['entities' => $new, 'style' => 'compact'])
-        @else
-            <p class="text-muted pb-l mb-none">{{ trans('entities.shelves_new_empty') }}</p>
-        @endif
-    </div>
+    @include('shelves.parts.index-sidebar-section-recents', ['recents' => $recents])
+    @include('shelves.parts.index-sidebar-section-popular', ['popular' => $popular])
+    @include('shelves.parts.index-sidebar-section-new', ['new' => $new])
 @stop

resources/views/shelves/parts/index-sidebar-section-actions.blade.php

@@ -0,0 +1,18 @@
+<div id="actions" class="actions mb-xl">
+    <h5>{{ trans('common.actions') }}</h5>
+    <div class="icon-list text-link">
+        @if(userCan(\BookStack\Permissions\Permission::BookshelfCreateAll))
+            <a href="{{ url("/create-shelf") }}" data-shortcut="new" class="icon-list-item">
+                <span>@icon('add')</span>
+                <span>{{ trans('entities.shelves_new_action') }}</span>
+            </a>
+        @endif
+
+        @include('entities.view-toggle', ['view' => $view, 'type' => 'bookshelves'])
+
+        <a href="{{ url('/tags') }}" class="icon-list-item">
+            <span>@icon('tag')</span>
+            <span>{{ trans('entities.tags_view_tags') }}</span>
+        </a>
+    </div>
+</div>

resources/views/shelves/parts/index-sidebar-section-new.blade.php

@@ -0,0 +1,8 @@
+<div id="new" class="mb-xl">
+    <h5>{{ trans('entities.shelves_new') }}</h5>
+    @if(count($new) > 0)
+        @include('entities.list', ['entities' => $new, 'style' => 'compact'])
+    @else
+        <p class="text-muted pb-l mb-none">{{ trans('entities.shelves_new_empty') }}</p>
+    @endif
+</div>

resources/views/shelves/parts/index-sidebar-section-popular.blade.php

@@ -0,0 +1,8 @@
+<div id="popular" class="mb-xl">
+    <h5>{{ trans('entities.shelves_popular') }}</h5>
+    @if(count($popular) > 0)
+        @include('entities.list', ['entities' => $popular, 'style' => 'compact'])
+    @else
+        <p class="text-muted pb-l mb-none">{{ trans('entities.shelves_popular_empty') }}</p>
+    @endif
+</div>

resources/views/shelves/parts/index-sidebar-section-recents.blade.php

@@ -0,0 +1,6 @@
+@if($recents)
+    <div id="recents" class="mb-xl">
+        <h5>{{ trans('entities.recently_viewed') }}</h5>
+        @include('entities.list', ['entities' => $recents, 'style' => 'compact'])
+    </div>
+@endif

resources/views/shelves/parts/show-sidebar-section-actions.blade.php

@@ -0,0 +1,43 @@
+<div id="actions" class="actions mb-xl">
+    <h5>{{ trans('common.actions') }}</h5>
+    <div class="icon-list text-link">
+
+        @if(userCan(\BookStack\Permissions\Permission::BookCreateAll) && userCan(\BookStack\Permissions\Permission::BookshelfUpdate, $shelf))
+            <a href="{{ $shelf->getUrl('/create-book') }}" data-shortcut="new" class="icon-list-item">
+                <span class="icon">@icon('add')</span>
+                <span>{{ trans('entities.books_new_action') }}</span>
+            </a>
+        @endif
+
+        @include('entities.view-toggle', ['view' => $view, 'type' => 'bookshelf'])
+
+        <hr class="primary-background">
+
+        @if(userCan(\BookStack\Permissions\Permission::BookshelfUpdate, $shelf))
+            <a href="{{ $shelf->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
+                <span>@icon('edit')</span>
+                <span>{{ trans('common.edit') }}</span>
+            </a>
+        @endif
+
+        @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $shelf))
+            <a href="{{ $shelf->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
+                <span>@icon('lock')</span>
+                <span>{{ trans('entities.permissions') }}</span>
+            </a>
+        @endif
+
+        @if(userCan(\BookStack\Permissions\Permission::BookshelfDelete, $shelf))
+            <a href="{{ $shelf->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
+                <span>@icon('delete')</span>
+                <span>{{ trans('common.delete') }}</span>
+            </a>
+        @endif
+
+        @if(!user()->isGuest())
+            <hr class="primary-background">
+            @include('entities.favourite-action', ['entity' => $shelf])
+        @endif
+
+    </div>
+</div>

resources/views/shelves/parts/show-sidebar-section-activity.blade.php

@@ -0,0 +1,6 @@
+@if(count($activity) > 0)
+    <div id="recent-activity" class="mb-xl">
+        <h5>{{ trans('entities.recent_activity') }}</h5>
+        @include('common.activity-list', ['activity' => $activity])
+    </div>
+@endif

resources/views/shelves/parts/show-sidebar-section-details.blade.php

@@ -0,0 +1,21 @@
+<div id="details" class="mb-xl">
+    <h5>{{ trans('common.details') }}</h5>
+    <div class="blended-links">
+        @include('entities.meta', ['entity' => $shelf, 'watchOptions' => null])
+        @if($shelf->hasPermissions())
+            <div class="active-restriction">
+                @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $shelf))
+                    <a href="{{ $shelf->getUrl('/permissions') }}" class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.shelves_permissions_active') }}</div>
+                    </a>
+                @else
+                    <div class="entity-meta-item">
+                        @icon('lock')
+                        <div>{{ trans('entities.shelves_permissions_active') }}</div>
+                    </div>
+                @endif
+            </div>
+        @endif
+    </div>
+</div>

resources/views/shelves/parts/show-sidebar-section-tags.blade.php

@@ -0,0 +1,5 @@
+@if($shelf->tags->count() > 0)
+    <div id="tags" class="mb-xl">
+        @include('entities.tag-list', ['entity' => $shelf])
+    </div>
+@endif

resources/views/shelves/show.blade.php

@@ -69,87 +69,13 @@
 @stop
 
 @section('left')
-
-    @if($shelf->tags->count() > 0)
-        <div id="tags" class="mb-xl">
-            @include('entities.tag-list', ['entity' => $shelf])
-        </div>
-    @endif
-
-    <div id="details" class="mb-xl">
-        <h5>{{ trans('common.details') }}</h5>
-        <div class="blended-links">
-            @include('entities.meta', ['entity' => $shelf, 'watchOptions' => null])
-            @if($shelf->hasPermissions())
-                <div class="active-restriction">
-                    @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $shelf))
-                        <a href="{{ $shelf->getUrl('/permissions') }}" class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.shelves_permissions_active') }}</div>
-                        </a>
-                    @else
-                        <div class="entity-meta-item">
-                            @icon('lock')
-                            <div>{{ trans('entities.shelves_permissions_active') }}</div>
-                        </div>
-                    @endif
-                </div>
-            @endif
-        </div>
-    </div>
-
-    @if(count($activity) > 0)
-        <div id="recent-activity" class="mb-xl">
-            <h5>{{ trans('entities.recent_activity') }}</h5>
-            @include('common.activity-list', ['activity' => $activity])
-        </div>
-    @endif
+    @include('shelves.parts.show-sidebar-section-tags', ['shelf' => $shelf])
+    @include('shelves.parts.show-sidebar-section-details', ['shelf' => $shelf])
+    @include('shelves.parts.show-sidebar-section-activity', ['activity' => $activity])
 @stop
 
 @section('right')
-    <div class="actions mb-xl">
-        <h5>{{ trans('common.actions') }}</h5>
-        <div class="icon-list text-link">
-
-            @if(userCan(\BookStack\Permissions\Permission::BookCreateAll) && userCan(\BookStack\Permissions\Permission::BookshelfUpdate, $shelf))
-                <a href="{{ $shelf->getUrl('/create-book') }}" data-shortcut="new" class="icon-list-item">
-                    <span class="icon">@icon('add')</span>
-                    <span>{{ trans('entities.books_new_action') }}</span>
-                </a>
-            @endif
-
-            @include('entities.view-toggle', ['view' => $view, 'type' => 'bookshelf'])
-
-            <hr class="primary-background">
-
-            @if(userCan(\BookStack\Permissions\Permission::BookshelfUpdate, $shelf))
-                <a href="{{ $shelf->getUrl('/edit') }}" data-shortcut="edit" class="icon-list-item">
-                    <span>@icon('edit')</span>
-                    <span>{{ trans('common.edit') }}</span>
-                </a>
-            @endif
-
-            @if(userCan(\BookStack\Permissions\Permission::RestrictionsManage, $shelf))
-                <a href="{{ $shelf->getUrl('/permissions') }}" data-shortcut="permissions" class="icon-list-item">
-                    <span>@icon('lock')</span>
-                    <span>{{ trans('entities.permissions') }}</span>
-                </a>
-            @endif
-
-            @if(userCan(\BookStack\Permissions\Permission::BookshelfDelete, $shelf))
-                <a href="{{ $shelf->getUrl('/delete') }}" data-shortcut="delete" class="icon-list-item">
-                    <span>@icon('delete')</span>
-                    <span>{{ trans('common.delete') }}</span>
-                </a>
-            @endif
-
-            @if(!user()->isGuest())
-                <hr class="primary-background">
-                @include('entities.favourite-action', ['entity' => $shelf])
-            @endif
-
-        </div>
-    </div>
+    @include('shelves.parts.show-sidebar-section-actions', ['shelf' => $shelf, 'view' => $view])
 @stop
 
 

resources/views/users/edit.blade.php

@@ -71,6 +71,26 @@
                 </div>
             </div>
 
+            @if(user()->hasSystemRole('admin'))
+                <div class="mt-xl">
+                    <hr class="my-m">
+                    <div class="grid half gap-xl v-center">
+                        <div>
+                            <strong class="text-neg">{{ trans('settings.users_mfa_reset') }}</strong>
+                            <p class="text-small text-muted">{{ trans('settings.users_mfa_reset_desc', ['userName' => $user->name]) }}</p>
+                        </div>
+                        <div class="text-m-right">
+                            <form action="{{ url("/settings/users/{$user->id}/reset-mfa") }}" method="POST" style="display: inline;">
+                                @csrf
+                                <button type="submit" class="button neg" 
+                                        onclick="return confirm('{{ trans('settings.users_mfa_reset_confirm', ['userName' => $user->name]) }}')">
+                                    {{ trans('settings.users_mfa_reset') }}
+                                </button>
+                            </form>
+                        </div>
+                    </div>
+                </div>
+            @endif
         </section>
 
         @if(count($activeSocialDrivers) > 0)

routes/web.php

@@ -251,6 +251,7 @@ Route::middleware('auth')->group(function () {
     Route::get('/settings/users/{id}', [UserControllers\UserController::class, 'edit']);
     Route::put('/settings/users/{id}', [UserControllers\UserController::class, 'update']);
     Route::delete('/settings/users/{id}', [UserControllers\UserController::class, 'destroy']);
+    Route::post('/settings/users/{id}/reset-mfa', [UserControllers\UserController::class, 'resetMfa']);
 
     // User Account
     Route::get('/my-account', [UserControllers\UserAccountController::class, 'redirect']);

storage/framework/.gitignore

@@ -7,3 +7,4 @@ routes.php
 routes.scanned.php
 schedule-*
 services.json
+purifier/

tests/Api/BooksApiTest.php

@@ -188,6 +188,37 @@ class BooksApiTest extends TestCase
         $resp->assertJsonMissing(['name' => $customName]);
     }
 
+    public function test_read_endpoint_lists_visible_shelves_the_book_is_assigned_to()
+    {
+        $this->actingAsApiEditor();
+        $shelf = $this->entities->shelf();
+        $otherShelf = $this->entities->shelf();
+        $book = $this->entities->book();
+        $book->shelves()->detach();
+
+        $book->shelves()->attach($shelf);
+        $book->shelves()->attach($otherShelf);
+
+        $this->assertEquals(2, $book->shelves()->count());
+
+        $this->permissions->disableEntityInheritedPermissions($otherShelf);
+
+        $resp = $this->getJson("{$this->baseEndpoint}/{$book->id}");
+        $resp->assertOk();
+        $resp->assertJsonCount(1, 'shelves');
+        $resp->assertJson([
+            'shelves' => [
+                [
+                    'id' => $shelf->id,
+                    'name' => $shelf->name,
+                    'slug' => $shelf->slug,
+                ]
+            ]
+        ]);
+        $resp->assertJsonMissingPath('shelves.0.description');
+        $resp->assertJsonMissingPath('shelves.0.pivot');
+    }
+
     public function test_update_endpoint()
     {
         $this->actingAsApiEditor();

tests/Auth/OidcTest.php

@@ -822,6 +822,34 @@ class OidcTest extends TestCase
         ]);
     }
 
+    public function test_oidc_auth_pre_redirect_theme_event_with_return()
+    {
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+            return 'https://cats.example.com?beans=true';
+        };
+        Theme::listen(ThemeEvents::OIDC_AUTH_PRE_REDIRECT, $callback);
+
+        $resp = $this->post('/oidc/login');
+        $resp->assertRedirect('https://cats.example.com?beans=true');
+
+        $this->assertCount(1, $args);
+        $this->assertStringStartsWith('https://oidc.local/auth', $args[0]);
+    }
+
+    public function test_oidc_auth_pre_redirect_theme_event_with_no_return()
+    {
+        $callback = function ($redirectUrl) {
+            $redirectUrl = 'cat';
+        };
+        Theme::listen(ThemeEvents::OIDC_AUTH_PRE_REDIRECT, $callback);
+
+        $resp = $this->post('/oidc/login');
+        $redirect = $resp->headers->get('Location');
+        $this->assertStringStartsWith('https://oidc.local/auth?', $redirect);
+    }
+
     public function test_pkce_used_on_authorize_and_access()
     {
         // Start auth

tests/Commands/InstallModuleCommandTest.php

@@ -0,0 +1,299 @@
+<?php
+
+namespace Tests\Commands;
+
+use GuzzleHttp\Psr7\Response;
+use Illuminate\Support\Facades\File;
+use Tests\TestCase;
+use ZipArchive;
+
+class InstallModuleCommandTest extends TestCase
+{
+    public function test_local_module_install_with_active_theme()
+    {
+        $this->usingThemeFolder(function () {
+            $zip = $this->getModuleZipPath();
+            $expectedInstallPath = theme_path('modules/test-module');
+            $this->artisan('bookstack:install-module', ['location' => $zip])
+                ->expectsOutput("\nThis will install a module from: {$zip}\n\nModules can contain code which would have the ability to do anything on the BookStack host server.\nYou should only install modules from trusted sources.")
+                ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+                ->expectsOutput('Module "Test Module" (v1.0.0) successfully installed!')
+                ->expectsOutput("Install location: {$expectedInstallPath}")
+                ->assertExitCode(0);
+
+            $this->assertDirectoryExists($expectedInstallPath);
+            $this->assertFileExists($expectedInstallPath . '/bookstack-module.json');
+        });
+    }
+
+    public function test_remote_module_install_with_active_theme()
+    {
+        $this->usingThemeFolder(function () {
+            $zip = $this->getModuleZipPath();
+
+            $http = $this->mockHttpClient([
+                new Response(200, ['Content-Length' => filesize($zip)], file_get_contents($zip))
+            ]);
+            $expectedInstallPath = theme_path('modules/test-module');
+
+            $this->artisan('bookstack:install-module', ['location' => 'https://example.com/test-module.zip'])
+                ->expectsOutput("\nThis will download a module from: example.com\n\nModules can contain code which would have the ability to do anything on the BookStack host server.\nYou should only install modules from trusted sources.")
+                ->expectsConfirmation('Are you sure you trust this source?', 'yes')
+                ->expectsOutput('Module "Test Module" (v1.0.0) successfully installed!')
+                ->expectsOutput("Install location: {$expectedInstallPath}")
+                ->assertExitCode(0);
+
+            $this->assertEquals(1, $http->requestCount());
+            $request = $http->requestAt(0);
+            $this->assertEquals('/test-module.zip', $request->getUri()->getPath());
+
+            $this->assertDirectoryExists($expectedInstallPath);
+            $this->assertFileExists($expectedInstallPath . '/bookstack-module.json');
+        });
+    }
+
+    public function test_remote_http_module_warns_and_prompts_users()
+    {
+        $this->usingThemeFolder(function () {
+            $zip = $this->getModuleZipPath();
+
+            $http = $this->mockHttpClient([
+                new Response(200, ['Content-Length' => filesize($zip)], file_get_contents($zip))
+            ]);
+            $expectedInstallPath = theme_path('modules/test-module');
+
+            $this->artisan('bookstack:install-module', ['location' => 'http://example.com/test-module.zip'])
+                ->expectsOutput("\nThis will download a module from: example.com\n\nModules can contain code which would have the ability to do anything on the BookStack host server.\nYou should only install modules from trusted sources.")
+                ->expectsConfirmation('Are you sure you trust this source?', 'yes')
+                ->expectsOutput("You are downloading a module from an insecure HTTP source.\nWe recommend only using HTTPS sources to avoid various security risks.")
+                ->expectsConfirmation('Are you sure you want to continue without HTTPS?', 'yes')
+                ->expectsOutput('Module "Test Module" (v1.0.0) successfully installed!')
+                ->expectsOutput("Install location: {$expectedInstallPath}")
+                ->assertExitCode(0);
+
+            $request = $http->requestAt(0);
+            $this->assertEquals('/test-module.zip', $request->getUri()->getPath());
+        });
+    }
+
+    public function test_remote_module_install_follows_redirects()
+    {
+        $this->usingThemeFolder(function () {
+            $zip = $this->getModuleZipPath();
+
+            $http = $this->mockHttpClient([
+                new Response(302, ['Location' => 'https://example.com/a-test-module.zip']),
+                new Response(200, ['Content-Length' => filesize($zip)], file_get_contents($zip))
+            ]);
+
+            $this->artisan('bookstack:install-module', ['location' => 'https://example.com/test-module.zip'])
+                ->expectsConfirmation('Are you sure you trust this source?', 'yes')
+                ->assertExitCode(0);
+
+            $this->assertEquals(2, $http->requestCount());
+            $this->assertEquals('/test-module.zip', $http->requestAt(0)->getUri()->getPath());
+            $this->assertEquals('/a-test-module.zip', $http->requestAt(1)->getUri()->getPath());
+        });
+    }
+
+    public function test_remote_module_install_does_not_follow_redirects_to_different_origin()
+    {
+        $this->usingThemeFolder(function () {
+            $zip = $this->getModuleZipPath();
+
+            $http = $this->mockHttpClient([
+                new Response(302, ['Location' => 'http://example.com/a-test-module.zip']),
+                new Response(200, ['Content-Length' => filesize($zip)], file_get_contents($zip))
+            ]);
+
+            $this->artisan('bookstack:install-module', ['location' => 'https://example.com/test-module.zip'])
+                ->expectsConfirmation('Are you sure you trust this source?', 'yes')
+                ->assertExitCode(1);
+
+            $this->assertEquals(1, $http->requestCount());
+            $this->assertEquals('https', $http->requestAt(0)->getUri()->getScheme());
+        });
+    }
+
+    public function test_remote_module_install_download_failures_are_announced_to_user()
+    {
+        $this->usingThemeFolder(function () {
+            $http = $this->mockHttpClient([
+                new Response(404),
+            ]);
+
+            $this->artisan('bookstack:install-module', ['location' => 'https://example.com/test-module.zip'])
+                ->expectsConfirmation('Are you sure you trust this source?', 'yes')
+                ->expectsOutput('ERROR: Failed to download module from https://example.com/test-module.zip')
+                ->expectsOutput('Download failed with status code 404')
+                ->assertExitCode(1);
+            $this->assertEquals(1, $http->requestCount());
+        });
+    }
+
+    public function test_run_with_invalid_path_exits_early()
+    {
+        $this->artisan('bookstack:install-module', ['location' => '/not-found.zip'])
+            ->expectsOutput('ERROR: Module file not found at /not-found.zip')
+            ->assertExitCode(1);
+    }
+
+    public function test_run_with_invalid_zip_has_early_exit()
+    {
+        $zip = $this->getModuleZipPath();
+        file_put_contents($zip, 'invalid zip');
+
+        $this->artisan('bookstack:install-module', ['location' => $zip])
+            ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+            ->expectsOutput("ERROR: Cannot open ZIP file at {$zip}")
+            ->assertExitCode(1);
+    }
+
+    public function test_run_with_large_zip_has_early_exit()
+    {
+        $zip = $this->getModuleZipPath(null, [
+            'large-file.txt' => str_repeat('a', 1024 * 1024 * 51)
+        ]);
+
+        $this->artisan('bookstack:install-module', ['location' => $zip])
+            ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+            ->expectsOutput("ERROR: Module ZIP file contents are too large. Maximum size is 50MB")
+            ->assertExitCode(1);
+    }
+
+    public function test_run_with_invalid_module_data_has_early_exit()
+    {
+        $zip = $this->getModuleZipPath([
+            'name' => 'Invalid Module',
+            'description' => 'A module with invalid data',
+            'version' => 'dog',
+        ]);
+
+        $this->artisan('bookstack:install-module', ['location' => $zip])
+            ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+            ->expectsOutput("ERROR: Failed to read module metadata with error: Module in folder \"_temp\" has an invalid 'version' format. Expected semantic version format like '1.0.0' or 'v1.0.0'")
+            ->assertExitCode(1);
+    }
+
+    public function test_local_module_install_without_active_theme_can_setup_theme_folder()
+    {
+        $zip = $this->getModuleZipPath();
+        $expectedThemePath = base_path('themes/custom');
+        File::deleteDirectory($expectedThemePath);
+
+        $this->artisan('bookstack:install-module', ['location' => $zip])
+            ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+            ->expectsConfirmation('No active theme folder found, would you like to create one?', 'yes')
+            ->expectsOutput("Created theme folder at {$expectedThemePath}")
+            ->expectsOutput("You will need to set APP_THEME=custom in your BookStack env configuration to enable this theme!")
+            ->expectsOutput('Module "Test Module" (v1.0.0) successfully installed!')
+            ->assertExitCode(0);
+
+        $this->assertDirectoryExists($expectedThemePath . '/modules/test-module');
+
+        File::deleteDirectory($expectedThemePath);
+    }
+
+    public function test_local_module_install_with_active_theme_and_conflicting_modules_file_causes_early_exit()
+    {
+        $this->usingThemeFolder(function () {
+            $zip = $this->getModuleZipPath();
+            File::put(theme_path('modules'), '{}');
+
+            $this->artisan('bookstack:install-module', ['location' => $zip])
+                ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+                ->expectsOutput("ERROR: Cannot create a modules folder, file already exists at " . theme_path('modules'))
+                ->assertExitCode(1);
+        });
+    }
+
+    public function test_single_existing_module_with_same_name_replace()
+    {
+        $this->usingThemeFolder(function () {
+            $original = $this->createModuleFolderInCurrentTheme(['name' => 'Test Module', 'description' => 'cat', 'version' => '1.0.0']);
+            $new = $this->getModuleZipPath(['name' => 'Test Module', 'description' => '', 'version' => '2.0.0']);
+
+            $this->artisan('bookstack:install-module', ['location' => $new])
+                ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+                ->expectsOutput('The following modules already exist with the same name:')
+                ->expectsOutput('Test Module (test-module:v1.0.0) - cat')
+                ->expectsChoice('What would you like to do?', 'Replace existing module', ['Cancel module install', 'Add alongside existing module', 'Replace existing module'])
+                ->expectsOutput("Replacing existing module in test-module folder")
+                ->assertExitCode(0);
+
+            $this->assertFileExists($original . '/bookstack-module.json');
+            $metadata = json_decode(file_get_contents($original . '/bookstack-module.json'), true);
+            $this->assertEquals('2.0.0', $metadata['version']);
+        });
+    }
+
+    public function test_single_existing_module_with_same_name_cancel()
+    {
+        $this->usingThemeFolder(function () {
+            $original = $this->createModuleFolderInCurrentTheme(['name' => 'Test Module', 'description' => 'cat', 'version' => '1.0.0']);
+            $new = $this->getModuleZipPath(['name' => 'Test Module', 'description' => '', 'version' => '2.0.0']);
+
+            $this->artisan('bookstack:install-module', ['location' => $new])
+                ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+                ->expectsOutput('The following modules already exist with the same name:')
+                ->expectsOutput('Test Module (test-module:v1.0.0) - cat')
+                ->expectsChoice('What would you like to do?', 'Cancel module install', ['Cancel module install', 'Add alongside existing module', 'Replace existing module'])
+                ->assertExitCode(1);
+
+            $this->assertFileExists($original . '/bookstack-module.json');
+            $metadata = json_decode(file_get_contents($original . '/bookstack-module.json'), true);
+            $this->assertEquals('1.0.0', $metadata['version']);
+        });
+    }
+
+    public function test_single_existing_module_with_same_name_add()
+    {
+        $this->usingThemeFolder(function () {
+            $original = $this->createModuleFolderInCurrentTheme(['name' => 'Test Module', 'description' => 'cat', 'version' => '1.0.0']);
+            $new = $this->getModuleZipPath(['name' => 'Test Module', 'description' => '', 'version' => '2.0.0']);
+
+            $this->artisan('bookstack:install-module', ['location' => $new])
+                ->expectsConfirmation('Are you sure you want to install this module?', 'yes')
+                ->expectsOutput('The following modules already exist with the same name:')
+                ->expectsOutput('Test Module (test-module:v1.0.0) - cat')
+                ->expectsChoice('What would you like to do?', 'Add alongside existing module', ['Cancel module install', 'Add alongside existing module', 'Replace existing module'])
+                ->assertExitCode(0);
+
+            $dirs = File::directories(theme_path('modules/'));
+            $this->assertCount(2, $dirs);
+        });
+    }
+
+    protected function createModuleFolderInCurrentTheme(array|null $metadata = null, array $extraFiles = []): string
+    {
+        $original = $this->getModuleZipPath($metadata, $extraFiles);
+        $targetPath = theme_path('modules/test-module');
+        mkdir($targetPath, 0777, true);
+        $originalZip = new ZipArchive();
+        $originalZip->open($original);
+        $originalZip->extractTo($targetPath);
+        $originalZip->close();
+
+        return $targetPath;
+    }
+
+    protected function getModuleZipPath(array|null $metadata = null, array $extraFiles = []): string
+    {
+        $zip = new ZipArchive();
+        $tmpFile = tempnam(sys_get_temp_dir(), 'bs-test-module');
+        $zip->open($tmpFile, ZipArchive::CREATE);
+
+        $zip->addFromString('bookstack-module.json', json_encode($metadata ?? [
+            'name' => 'Test Module',
+            'description' => 'A test module for BookStack',
+            'version' => '1.0.0',
+        ]));
+
+        foreach ($extraFiles as $path => $contents) {
+            $zip->addFromString($path, $contents);
+        }
+
+        $zip->close();
+        return $tmpFile;
+    }
+}

tests/Entity/BookTest.php

@@ -154,6 +154,20 @@ class BookTest extends TestCase
         $this->assertNotificationContains($redirectReq, 'Book Successfully Deleted');
     }
 
+    public function test_delete_with_shelf_context_returns_to_shelf_view_after_delete()
+    {
+        $shelf = $this->entities->shelfHasBooks();
+        /** @var Book $book */
+        $book = $shelf->books()->first();
+
+        $this->asEditor()->get($shelf->getUrl());
+        $this->get($book->getUrl());
+        $this->get($book->getUrl('/delete'));
+        $resp = $this->delete($book->getUrl());
+
+        $resp->assertRedirect($shelf->getUrl());
+    }
+
     public function test_cancel_on_create_page_leads_back_to_books_listing()
     {
         $resp = $this->asEditor()->get('/create-book');
@@ -264,4 +278,25 @@ class BookTest extends TestCase
         $resp = $this->asEditor()->get($book->getUrl());
         $resp->assertSee("<p>My great<br>\ndescription<br>\n<br>\nwith newlines</p>", false);
     }
+
+    public function test_description_with_only_br_tags_results_in_empty_p_tag_used_on_show()
+    {
+        $descriptions = [
+            '<p><br></p>',
+            '<p><br><br><br><br></p>',
+            '<p><br><br><br></p><h1><br><br><br><br><br></h1>',
+        ];
+        $book = $this->entities->book();
+        $this->asEditor();
+
+        foreach ($descriptions as $descriptionTestCase) {
+            $book->description_html = $descriptionTestCase;
+            $book->save();
+
+            $resp = $this->get($book->getUrl());
+            $html = $this->withHtml($resp);
+            $descriptionHtml = $html->getInnerHtml('.book-content > div.text-muted:first-child');
+            $this->assertEquals('<p></p>', $descriptionHtml);
+        }
+    }
 }

tests/Entity/PageContentFilteringTest.php

@@ -0,0 +1,502 @@
+<?php
+
+namespace Tests\Entity;
+
+use Tests\TestCase;
+
+class PageContentFilteringTest extends TestCase
+{
+    public function test_page_content_scripts_removed_by_default()
+    {
+        $this->asEditor();
+        $page = $this->entities->page();
+        $script = 'abc123<script>console.log("hello-test")</script>abc123';
+        $page->html = "escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertStatus(200);
+        $pageView->assertDontSee($script, false);
+        $pageView->assertSee('abc123abc123');
+    }
+
+    public function test_more_complex_content_script_escaping_scenarios()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            "<p>Some script</p><script>alert('cat')</script>",
+            "<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
+            "<p>Some script<script>alert('cat')</script></p>",
+            "<p>Some script <div><script>alert('cat')</script></div></p>",
+            "<p>Some script <script><div>alert('cat')</script></div></p>",
+            "<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
+        }
+    }
+
+    public function test_js_and_base64_src_urls_are_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<iframe src="javascript:alert(document.cookie)"></iframe>',
+            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
+            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
+            '<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
+            '<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+            '<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+            '<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+            '<img src="javascript:alert(document.cookie)"/>',
+            '<img src="JavAScRipT:alert(document.cookie)"/>',
+            '<img src="JavAScRipT:alert(document.cookie)"/>',
+            '<img SRC=" javascript: alert(document.cookie)"/>',
+            '<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
+            '<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
+            '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
+            '<object data="javascript:alert(document.cookie)"></object>',
+            '<object data="JavAScRipT:alert(document.cookie)"></object>',
+            '<object data="JavAScRipT:alert(document.cookie)"></object>',
+            '<object SRC=" javascript: alert(document.cookie)"></object>',
+            '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<object data="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<object data=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></object>',
+            '<embed src="javascript:alert(document.cookie)"/>',
+            '<embed src="JavAScRipT:alert(document.cookie)"/>',
+            '<embed src="JavAScRipT:alert(document.cookie)"/>',
+            '<embed SRC=" javascript: alert(document.cookie)"/>',
+            '<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<embed src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+            '<embed src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $html = $this->withHtml($pageView);
+            $html->assertElementNotContains('.page-content', '<object');
+            $html->assertElementNotContains('.page-content', 'data=');
+            $html->assertElementNotContains('.page-content', '<iframe>');
+            $html->assertElementNotContains('.page-content', '<img');
+            $html->assertElementNotContains('.page-content', '</iframe>');
+            $html->assertElementNotContains('.page-content', 'src=');
+            $html->assertElementNotContains('.page-content', 'javascript:');
+            $html->assertElementNotContains('.page-content', 'data:');
+            $html->assertElementNotContains('.page-content', 'base64');
+        }
+    }
+
+    public function test_javascript_uri_links_are_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
+            '<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
+            '<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
+            '<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
+        }
+    }
+
+    public function test_form_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $page->html = '<form><input type="text" id="dont-see-this" value="test"></form>';
+        $page->save();
+
+        $this->asEditor()->get($page->getUrl())->assertSee('dont-see-this', false);
+
+        config()->set('app.content_filtering', 'f');
+        $this->get($page->getUrl())->assertDontSee('dont-see-this', false);
+    }
+
+    public function test_form_actions_with_javascript_are_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
+            '<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
+            '<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
+            '<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
+            '<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $pageView->assertDontSee('id="xss"', false);
+            $pageView->assertDontSee('action=javascript:', false);
+            $pageView->assertDontSee('action=JaVaScRiPt:', false);
+            $pageView->assertDontSee('formaction=javascript:', false);
+            $pageView->assertDontSee('formaction=JaVaScRiPt:', false);
+        }
+    }
+
+    public function test_form_elements_are_removed()
+    {
+        config()->set('app.content_filtering', 'f');
+
+        $checks = [
+            '<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
+            '<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
+            '<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
+            '<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
+            '<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
+            '<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
+            '<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
+            <<<'TESTCASE'
+<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
+  <foreignObject width="100%" height="100%">
+    
+    <body xmlns="http://www.w3.org/1999/xhtml">
+    <p>thisisacattofind</p>
+      <form>
+        <p>thisdogshouldnotbefound</p>
+      </form>
+      <input type="text" placeholder="thisdogshouldnotbefound" />
+      <button type="submit">thisdogshouldnotbefound</button>
+    </body>
+
+  </foreignObject>
+</svg>
+TESTCASE
+
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $pageView->assertSee('thisisacattofind');
+            $pageView->assertDontSee('thisdogshouldnotbefound');
+        }
+    }
+
+    public function test_form_attributes_are_removed()
+    {
+        config()->set('app.content_filtering', 'f');
+
+        $withinSvgSample = <<<'TESTCASE'
+<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
+  <foreignObject width="100%" height="100%">
+    
+    <body xmlns="http://www.w3.org/1999/xhtml">
+    <p formaction="a">thisisacattofind</p>
+    <p formaction="a">thisisacattofind</p>
+    </body>
+
+  </foreignObject>
+</svg>
+TESTCASE;
+
+        $checks = [
+            'formaction' => '<p formaction="a">thisisacattofind</p>',
+            'form' => '<p form="a">thisisacattofind</p>',
+            'formmethod' => '<p formmethod="a">thisisacattofind</p>',
+            'formtarget' => '<p formtarget="a">thisisacattofind</p>',
+            'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $attribute => $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $pageView->assertSee('thisisacattofind');
+            $this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
+        }
+
+        $page->html = $withinSvgSample;
+        $page->save();
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertStatus(200);
+        $html = $this->withHtml($pageView);
+        foreach ($checks as $attribute => $check) {
+            $pageView->assertSee('thisisacattofind');
+            $html->assertElementNotExists(".page-content [{$attribute}]");
+        }
+    }
+
+    public function test_metadata_redirects_are_removed()
+    {
+        config()->set('app.content_filtering', 'h');
+
+        $checks = [
+            '<meta http-equiv="refresh" content="0; url=//external_url">',
+            '<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
+            '<meta http-equiv="refresh" content="0; UrL=//external_url">',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
+        }
+    }
+
+    public function test_page_inline_on_attributes_removed_by_default()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $this->asEditor();
+        $page = $this->entities->page();
+        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
+        $page->html = "escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertStatus(200);
+        $pageView->assertDontSee($script, false);
+        $pageView->assertSee('<p>Hello</p>', false);
+    }
+
+    public function test_more_complex_inline_on_attributes_escaping_scenarios()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<p onclick="console.log(\'test\')">Hello</p>',
+            '<p OnCliCk="console.log(\'test\')">Hello</p>',
+            '<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
+            '<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
+            '<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
+            '<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
+            '<a a="<img src=1 onerror=\'alert(1)\'> ',
+            '\<a onclick="alert(document.cookie)"\>xss link\</a\>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
+        }
+    }
+
+    public function test_page_content_scripts_show_with_filters_disabled()
+    {
+        $this->asEditor();
+        $page = $this->entities->page();
+        config()->set('app.content_filtering', '');
+
+        $script = 'abc123<script>console.log("hello-test")</script>abc123';
+        $page->html = "no escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertSee($script, false);
+        $pageView->assertDontSee('abc123abc123');
+    }
+
+    public function test_svg_script_usage_is_removed()
+    {
+        config()->set('app.content_filtering', 'j');
+
+        $checks = [
+            '<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
+            '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
+            '<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
+            '<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
+            '<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
+            '<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
+            '<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
+            '<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
+        ];
+
+        $this->asEditor();
+        $page = $this->entities->page();
+
+        foreach ($checks as $check) {
+            $page->html = $check;
+            $page->save();
+
+            $pageView = $this->get($page->getUrl());
+            $pageView->assertStatus(200);
+            $html = $this->withHtml($pageView);
+            $html->assertElementNotContains('.page-content', 'alert');
+            $html->assertElementNotContains('.page-content', 'xlink:href');
+            $html->assertElementNotContains('.page-content', 'application/xml');
+            $html->assertElementNotContains('.page-content', 'javascript');
+        }
+    }
+
+    public function test_page_inline_on_attributes_show_with_filters_disabled()
+    {
+        $this->asEditor();
+        $page = $this->entities->page();
+        config()->set('app.content_filtering', '');
+
+        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
+        $page->html = "escape {$script}";
+        $page->save();
+
+        $pageView = $this->get($page->getUrl());
+        $pageView->assertSee($script, false);
+        $pageView->assertDontSee('<p>Hello</p>', false);
+    }
+
+    public function test_non_content_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $html = <<<'HTML'
+<style>superbeans!</style>
+<template id="template">superbeans!</template>
+HTML;
+        $page->html = $html;
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertSee('superbeans', false);
+
+        config()->set('app.content_filtering', 'h');
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertDontSee('superbeans', false);
+    }
+
+    public function test_non_content_filtering()
+    {
+        config()->set('app.content_filtering', 'h');
+        $page = $this->entities->page();
+        $html = <<<'HTML'
+<style>superbeans!</style>
+<p>inbetweenpsection</p>
+<link rel="stylesheet" href="https://example.com/superbeans.css">
+<meta name="description" content="superbeans!">
+<title>superbeans!</title>
+<template id="template">superbeans!</template>
+HTML;
+
+        $page->html = $html;
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertDontSee('superbeans', false);
+        $resp->assertSee('inbetweenpsection', false);
+    }
+
+    public function test_allow_list_filtering_is_controlled_by_config()
+    {
+        config()->set('app.content_filtering', '');
+        $page = $this->entities->page();
+        $page->html = '<div style="position: absolute; left: 0;color:#00FFEE;">Hello!</div>';
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
+
+        config()->set('app.content_filtering', 'a');
+        $resp = $this->get($page->getUrl());
+        $resp->assertDontSee('style="position: absolute; left: 0;color:#00FFEE;"', false);
+        $resp->assertSee('style="color:#00FFEE;"', false);
+    }
+
+    public function test_allow_list_style_filtering()
+    {
+        $testCasesExpectedByInput = [
+            '<div style="position:absolute;left:0;color:#00FFEE;">Hello!</div>' => '<div style="color:#00FFEE;">Hello!</div>',
+            '<div style="background:#FF0000;left:0;color:#00FFEE;">Hello!</div>' => '<div style="background:#FF0000;color:#00FFEE;">Hello!</div>',
+            '<div style="color:#00FFEE;">Hello!<style>testinghello!</style></div>' => '<div style="color:#00FFEE;">Hello!</div>',
+            '<div drawio-diagram="5332" another-attr="cat">Hello!</div>' => '<div drawio-diagram="5332">Hello!</div>',
+        ];
+
+        config()->set('app.content_filtering', 'a');
+        $page = $this->entities->page();
+        $this->asEditor();
+
+        foreach ($testCasesExpectedByInput as $input => $expected) {
+            $page->html = $input;
+            $page->save();
+            $resp = $this->get($page->getUrl());
+
+            $resp->assertSee($expected, false);
+        }
+    }
+
+    public function test_allow_list_does_not_filter_cases()
+    {
+        $testCasesExpectedByInput = [
+            '<p><a href="https://example.com" target="_blank">New tab linkydoodle</a></p>',
+            '<p><a href="https://example.com/user/1" data-mention-user-id="5">@mentionusertext</a></p>',
+            '<details><summary>Hello</summary><p>Mydetailshere</p></details>',
+        ];
+
+        config()->set('app.content_filtering', 'a');
+        $page = $this->entities->page();
+        $this->asEditor();
+
+        foreach ($testCasesExpectedByInput as $input) {
+            $page->html = $input;
+            $page->save();
+            $resp = $this->get($page->getUrl());
+
+            $resp->assertSee($input, false);
+        }
+    }
+}

tests/Entity/PageContentTest.php

@@ -101,351 +101,6 @@ class PageContentTest extends TestCase
         $pageResp->assertSee('Hello Barry');
     }
 
-    public function test_page_content_scripts_removed_by_default()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        $script = 'abc123<script>console.log("hello-test")</script>abc123';
-        $page->html = "escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertStatus(200);
-        $pageView->assertDontSee($script, false);
-        $pageView->assertSee('abc123abc123');
-    }
-
-    public function test_more_complex_content_script_escaping_scenarios()
-    {
-        $checks = [
-            "<p>Some script</p><script>alert('cat')</script>",
-            "<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
-            "<p>Some script<script>alert('cat')</script></p>",
-            "<p>Some script <div><script>alert('cat')</script></div></p>",
-            "<p>Some script <script><div>alert('cat')</script></div></p>",
-            "<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
-        }
-    }
-
-    public function test_js_and_base64_src_urls_are_removed()
-    {
-        $checks = [
-            '<iframe src="javascript:alert(document.cookie)"></iframe>',
-            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
-            '<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
-            '<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
-            '<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
-            '<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
-            '<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
-            '<img src="javascript:alert(document.cookie)"/>',
-            '<img src="JavAScRipT:alert(document.cookie)"/>',
-            '<img src="JavAScRipT:alert(document.cookie)"/>',
-            '<img SRC=" javascript: alert(document.cookie)"/>',
-            '<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
-            '<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
-            '<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
-            '<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
-            '<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
-            '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $html = $this->withHtml($pageView);
-            $html->assertElementNotContains('.page-content', '<iframe>');
-            $html->assertElementNotContains('.page-content', '<img');
-            $html->assertElementNotContains('.page-content', '</iframe>');
-            $html->assertElementNotContains('.page-content', 'src=');
-            $html->assertElementNotContains('.page-content', 'javascript:');
-            $html->assertElementNotContains('.page-content', 'data:');
-            $html->assertElementNotContains('.page-content', 'base64');
-        }
-    }
-
-    public function test_javascript_uri_links_are_removed()
-    {
-        $checks = [
-            '<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
-            '<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
-            '<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
-            '<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
-        }
-    }
-
-    public function test_form_actions_with_javascript_are_removed()
-    {
-        $checks = [
-            '<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
-            '<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
-            '<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
-            '<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
-            '<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $pageView->assertDontSee('id="xss"', false);
-            $pageView->assertDontSee('action=javascript:', false);
-            $pageView->assertDontSee('action=JaVaScRiPt:', false);
-            $pageView->assertDontSee('formaction=javascript:', false);
-            $pageView->assertDontSee('formaction=JaVaScRiPt:', false);
-        }
-    }
-
-    public function test_form_elements_are_removed()
-    {
-        $checks = [
-            '<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
-            '<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
-            '<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
-            '<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
-            '<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
-            '<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
-            '<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
-            <<<'TESTCASE'
-<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
-  <foreignObject width="100%" height="100%">
-    
-    <body xmlns="http://www.w3.org/1999/xhtml">
-    <p>thisisacattofind</p>
-      <form>
-        <p>thisdogshouldnotbefound</p>
-      </form>
-      <input type="text" placeholder="thisdogshouldnotbefound" />
-      <button type="submit">thisdogshouldnotbefound</button>
-    </body>
-
-  </foreignObject>
-</svg>
-TESTCASE
-
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $pageView->assertSee('thisisacattofind');
-            $pageView->assertDontSee('thisdogshouldnotbefound');
-        }
-    }
-
-    public function test_form_attributes_are_removed()
-    {
-        $withinSvgSample = <<<'TESTCASE'
-<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
-  <foreignObject width="100%" height="100%">
-    
-    <body xmlns="http://www.w3.org/1999/xhtml">
-    <p formaction="a">thisisacattofind</p>
-    <p formaction="a">thisisacattofind</p>
-    </body>
-
-  </foreignObject>
-</svg>
-TESTCASE;
-
-        $checks = [
-            'formaction' => '<p formaction="a">thisisacattofind</p>',
-            'form' => '<p form="a">thisisacattofind</p>',
-            'formmethod' => '<p formmethod="a">thisisacattofind</p>',
-            'formtarget' => '<p formtarget="a">thisisacattofind</p>',
-            'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $attribute => $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $pageView->assertSee('thisisacattofind');
-            $this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
-        }
-
-        $page->html = $withinSvgSample;
-        $page->save();
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertStatus(200);
-        $html = $this->withHtml($pageView);
-        foreach ($checks as $attribute => $check) {
-            $pageView->assertSee('thisisacattofind');
-            $html->assertElementNotExists(".page-content [{$attribute}]");
-        }
-    }
-
-    public function test_metadata_redirects_are_removed()
-    {
-        $checks = [
-            '<meta http-equiv="refresh" content="0; url=//external_url">',
-            '<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
-            '<meta http-equiv="refresh" content="0; UrL=//external_url">',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
-        }
-    }
-
-    public function test_page_inline_on_attributes_removed_by_default()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
-        $page->html = "escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertStatus(200);
-        $pageView->assertDontSee($script, false);
-        $pageView->assertSee('<p>Hello</p>', false);
-    }
-
-    public function test_more_complex_inline_on_attributes_escaping_scenarios()
-    {
-        $checks = [
-            '<p onclick="console.log(\'test\')">Hello</p>',
-            '<p OnCliCk="console.log(\'test\')">Hello</p>',
-            '<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
-            '<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
-            '<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
-            '<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
-            '<a a="<img src=1 onerror=\'alert(1)\'> ',
-            '\<a onclick="alert(document.cookie)"\>xss link\</a\>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
-        }
-    }
-
-    public function test_page_content_scripts_show_when_configured()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        config()->set('app.allow_content_scripts', 'true');
-
-        $script = 'abc123<script>console.log("hello-test")</script>abc123';
-        $page->html = "no escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertSee($script, false);
-        $pageView->assertDontSee('abc123abc123');
-    }
-
-    public function test_svg_script_usage_is_removed()
-    {
-        $checks = [
-            '<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
-            '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
-            '<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
-            '<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
-            '<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
-            '<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
-            '<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
-            '<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
-        ];
-
-        $this->asEditor();
-        $page = $this->entities->page();
-
-        foreach ($checks as $check) {
-            $page->html = $check;
-            $page->save();
-
-            $pageView = $this->get($page->getUrl());
-            $pageView->assertStatus(200);
-            $html = $this->withHtml($pageView);
-            $html->assertElementNotContains('.page-content', 'alert');
-            $html->assertElementNotContains('.page-content', 'xlink:href');
-            $html->assertElementNotContains('.page-content', 'application/xml');
-            $html->assertElementNotContains('.page-content', 'javascript');
-        }
-    }
-
-    public function test_page_inline_on_attributes_show_if_configured()
-    {
-        $this->asEditor();
-        $page = $this->entities->page();
-        config()->set('app.allow_content_scripts', 'true');
-
-        $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
-        $page->html = "escape {$script}";
-        $page->save();
-
-        $pageView = $this->get($page->getUrl());
-        $pageView->assertSee($script, false);
-        $pageView->assertDontSee('<p>Hello</p>', false);
-    }
-
     public function test_duplicate_ids_does_not_break_page_render()
     {
         $this->asEditor();
@@ -649,6 +304,7 @@ TESTCASE;
 
     public function test_page_markdown_single_html_comment_saving()
     {
+        config()->set('app.content_filtering', 'jfh');
         $this->asEditor();
         $page = $this->entities->page();
 
@@ -656,7 +312,7 @@ TESTCASE;
         $this->put($page->getUrl(), [
             'name' => $page->name,  'markdown' => $content,
             'html' => '', 'summary' => '',
-        ]);
+        ])->assertRedirect();
 
         $page->refresh();
         $this->assertStringMatchesFormat($content, $page->html);

tests/Entity/PageDraftTest.php

@@ -160,9 +160,11 @@ class PageDraftTest extends TestCase
     {
         $this->asAdmin();
         $page = $this->entities->page();
+        $page->html = '<p>test content<script>hellotherekitty</script></p>';
+        $page->save();
 
         $this->getJson('/ajax/page/' . $page->id)->assertJson([
-            'html' => $page->html,
+            'html' => '<p>test content</p>',
         ]);
     }
 

tests/Entity/PageEditorTest.php

@@ -265,4 +265,40 @@ class PageEditorTest extends TestCase
             $this->assertEquals($test['expected'], $page->refresh()->editor, "Failed asserting global editor {$test['setting']} with request editor {$test['request']} results in {$test['expected']} set for the page");
         }
     }
+
+    public function test_editor_html_content_is_filtered_if_loaded_by_a_different_user()
+    {
+        $editor = $this->users->editor();
+        $page = $this->entities->page();
+        $page->html = '<style>hellotherethisisaturtlemonster</style>';
+        $page->updated_by = $editor->id;
+        $page->save();
+
+        $resp = $this->asAdmin()->get($page->getUrl('edit'));
+        $resp->assertOk();
+        $resp->assertDontSee('hellotherethisisaturtlemonster', false);
+
+        $resp = $this->asAdmin()->get("/ajax/page/{$page->id}");
+        $resp->assertOk();
+        $resp->assertDontSee('hellotherethisisaturtlemonster', false);
+    }
+
+    public function test_editor_html_filtered_does_not_cause_error_if_empty()
+    {
+        $emptyExamples = ['', '<p></p>', '<p>&nbsp;</p>', ' ', "\n"];
+        $editor = $this->users->editor();
+        $page = $this->entities->page();
+        $page->updated_by = $editor->id;
+
+        foreach ($emptyExamples as $emptyExample) {
+            $page->html = $emptyExample;
+            $page->save();
+
+            $resp = $this->asAdmin()->get($page->getUrl('edit'));
+            $resp->assertOk();
+
+            $resp = $this->asAdmin()->get("/ajax/page/{$page->id}");
+            $resp->assertOk();
+        }
+    }
 }

tests/Helpers/EntityProvider.php

@@ -110,6 +110,14 @@ class EntityProvider
         return $shelf;
     }
 
+    /**
+     * Get a shelf that has books assigned.
+     */
+    public function shelfHasBooks(): Bookshelf
+    {
+        return $this->shelf(fn(Builder $query) => $query->whereHas('books'));
+    }
+
     /**
      * Get all entity types from the system.
      * @return array{page: Page, chapter: Chapter, book: Book, bookshelf: Bookshelf}

tests/SecurityHeaderTest.php

@@ -93,14 +93,14 @@ class SecurityHeaderTest extends TestCase
         $this->assertNotEquals($firstHeader, $secondHeader);
     }
 
-    public function test_allow_content_scripts_settings_controls_csp_script_headers()
+    public function test_content_filtering_config_controls_csp_script_headers()
     {
-        config()->set('app.allow_content_scripts', true);
+        config()->set('app.content_filtering', '');
         $resp = $this->get('/');
         $scriptHeader = $this->getCspHeader($resp, 'script-src');
         $this->assertEmpty($scriptHeader);
 
-        config()->set('app.allow_content_scripts', false);
+        config()->set('app.content_filtering', 'j');
         $resp = $this->get('/');
         $scriptHeader = $this->getCspHeader($resp, 'script-src');
         $this->assertNotEmpty($scriptHeader);

tests/TestCase.php

@@ -13,6 +13,7 @@ use Illuminate\Foundation\Testing\TestCase as BaseTestCase;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Env;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\File;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Testing\Assert as PHPUnit;
 use Illuminate\Testing\Constraints\HasInDatabase;
@@ -157,6 +158,23 @@ abstract class TestCase extends BaseTestCase
         }
     }
 
+    protected function usingThemeFolder(callable $callback): void
+    {
+        // Create a folder and configure a theme
+        $themeFolderName = 'testing_theme_' . str_shuffle(rtrim(base64_encode(time()), '='));
+        config()->set('view.theme', $themeFolderName);
+        $themeFolderPath = theme_path('');
+
+        // Create a theme folder and clean it up on application tear-down
+        File::makeDirectory($themeFolderPath);
+        $this->beforeApplicationDestroyed(fn() => File::deleteDirectory($themeFolderPath));
+
+        // Run provided callback with the theme env option set
+        $this->runWithEnv(['APP_THEME' => $themeFolderName], function () use ($callback, $themeFolderName) {
+            call_user_func($callback, $themeFolderName);
+        });
+    }
+
     /**
      * Check the keys and properties in the given map to include
      * exist, albeit not exclusively, within the map to check.

tests/Theme/LogicalThemeEventsTest.php

@@ -0,0 +1,397 @@
+<?php
+
+namespace Tests\Theme;
+
+use BookStack\Activity\ActivityType;
+use BookStack\Activity\DispatchWebhookJob;
+use BookStack\Activity\Models\Webhook;
+use BookStack\Entities\Models\Book;
+use BookStack\Entities\Models\Page;
+use BookStack\Entities\Tools\PageContent;
+use BookStack\Facades\Theme;
+use BookStack\Theming\ThemeEvents;
+use BookStack\Users\Models\User;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use League\CommonMark\Environment\Environment;
+use Tests\TestCase;
+
+class LogicalThemeEventsTest extends TestCase
+{
+    public function test_commonmark_environment_configure()
+    {
+        $callbackCalled = false;
+        $callback = function ($environment) use (&$callbackCalled) {
+            $this->assertInstanceOf(Environment::class, $environment);
+            $callbackCalled = true;
+
+            return $environment;
+        };
+        Theme::listen(ThemeEvents::COMMONMARK_ENVIRONMENT_CONFIGURE, $callback);
+
+        $page = $this->entities->page();
+        $content = new PageContent($page);
+        $content->setNewMarkdown('# test', $this->users->editor());
+
+        $this->assertTrue($callbackCalled);
+    }
+
+    public function test_web_middleware_before()
+    {
+        $callbackCalled = false;
+        $requestParam = null;
+        $callback = function ($request) use (&$callbackCalled, &$requestParam) {
+            $requestParam = $request;
+            $callbackCalled = true;
+        };
+
+        Theme::listen(ThemeEvents::WEB_MIDDLEWARE_BEFORE, $callback);
+        $this->get('/login', ['Donkey' => 'cat']);
+
+        $this->assertTrue($callbackCalled);
+        $this->assertInstanceOf(Request::class, $requestParam);
+        $this->assertEquals('cat', $requestParam->header('donkey'));
+    }
+
+    public function test_web_middleware_before_return_val_used_as_response()
+    {
+        $callback = function (Request $request) {
+            return response('cat', 412);
+        };
+
+        Theme::listen(ThemeEvents::WEB_MIDDLEWARE_BEFORE, $callback);
+        $resp = $this->get('/login', ['Donkey' => 'cat']);
+        $resp->assertSee('cat');
+        $resp->assertStatus(412);
+    }
+
+    public function test_web_middleware_after()
+    {
+        $callbackCalled = false;
+        $requestParam = null;
+        $responseParam = null;
+        $callback = function ($request, Response $response) use (&$callbackCalled, &$requestParam, &$responseParam) {
+            $requestParam = $request;
+            $responseParam = $response;
+            $callbackCalled = true;
+            $response->header('donkey', 'cat123');
+        };
+
+        Theme::listen(ThemeEvents::WEB_MIDDLEWARE_AFTER, $callback);
+
+        $resp = $this->get('/login', ['Donkey' => 'cat']);
+        $this->assertTrue($callbackCalled);
+        $this->assertInstanceOf(Request::class, $requestParam);
+        $this->assertInstanceOf(Response::class, $responseParam);
+        $resp->assertHeader('donkey', 'cat123');
+    }
+
+    public function test_web_middleware_after_return_val_used_as_response()
+    {
+        $callback = function () {
+            return response('cat456', 443);
+        };
+
+        Theme::listen(ThemeEvents::WEB_MIDDLEWARE_AFTER, $callback);
+
+        $resp = $this->get('/login', ['Donkey' => 'cat']);
+        $resp->assertSee('cat456');
+        $resp->assertStatus(443);
+    }
+
+    public function test_auth_login_standard()
+    {
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+        };
+
+        Theme::listen(ThemeEvents::AUTH_LOGIN, $callback);
+        $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
+
+        $this->assertCount(2, $args);
+        $this->assertEquals('standard', $args[0]);
+        $this->assertInstanceOf(User::class, $args[1]);
+    }
+
+    public function test_auth_register_standard()
+    {
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+        };
+        Theme::listen(ThemeEvents::AUTH_REGISTER, $callback);
+        $this->setSettings(['registration-enabled' => 'true']);
+
+        $user = User::factory()->make();
+        $this->post('/register', ['email' => $user->email, 'name' => $user->name, 'password' => 'password']);
+
+        $this->assertCount(2, $args);
+        $this->assertEquals('standard', $args[0]);
+        $this->assertInstanceOf(User::class, $args[1]);
+    }
+
+    public function test_auth_pre_register()
+    {
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+        };
+        Theme::listen(ThemeEvents::AUTH_PRE_REGISTER, $callback);
+        $this->setSettings(['registration-enabled' => 'true']);
+
+        $user = User::factory()->make();
+        $this->post('/register', ['email' => $user->email, 'name' => $user->name, 'password' => 'password']);
+
+        $this->assertCount(2, $args);
+        $this->assertEquals('standard', $args[0]);
+        $this->assertEquals([
+            'email' => $user->email,
+            'name' => $user->name,
+            'password' => 'password',
+        ], $args[1]);
+        $this->assertDatabaseHas('users', ['email' => $user->email]);
+    }
+
+    public function test_auth_pre_register_with_false_return_blocks_registration()
+    {
+        $callback = function () {
+            return false;
+        };
+        Theme::listen(ThemeEvents::AUTH_PRE_REGISTER, $callback);
+        $this->setSettings(['registration-enabled' => 'true']);
+
+        $user = User::factory()->make();
+        $resp = $this->post('/register', ['email' => $user->email, 'name' => $user->name, 'password' => 'password']);
+        $resp->assertRedirect('/login');
+        $this->assertSessionError('User account could not be registered for the provided details');
+        $this->assertDatabaseMissing('users', ['email' => $user->email]);
+    }
+
+    public function test_webhook_call_before()
+    {
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+
+            return ['test' => 'hello!'];
+        };
+        Theme::listen(ThemeEvents::WEBHOOK_CALL_BEFORE, $callback);
+
+        $responses = $this->mockHttpClient([new \GuzzleHttp\Psr7\Response(200, [], '')]);
+
+        $webhook = new Webhook(['name' => 'Test webhook', 'endpoint' => 'https://example.com']);
+        $webhook->save();
+        $event = ActivityType::PAGE_UPDATE;
+        $detail = Page::query()->first();
+
+        dispatch((new DispatchWebhookJob($webhook, $event, $detail)));
+
+        $this->assertCount(5, $args);
+        $this->assertEquals($event, $args[0]);
+        $this->assertEquals($webhook->id, $args[1]->id);
+        $this->assertEquals($detail->id, $args[2]->id);
+
+        $this->assertEquals(1, $responses->requestCount());
+        $request = $responses->latestRequest();
+        $reqData = json_decode($request->getBody(), true);
+        $this->assertEquals('hello!', $reqData['test']);
+    }
+
+    public function test_activity_logged()
+    {
+        $book = $this->entities->book();
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+        };
+
+        Theme::listen(ThemeEvents::ACTIVITY_LOGGED, $callback);
+        $this->asEditor()->put($book->getUrl(), ['name' => 'My cool update book!']);
+
+        $this->assertCount(2, $args);
+        $this->assertEquals(ActivityType::BOOK_UPDATE, $args[0]);
+        $this->assertTrue($args[1] instanceof Book);
+        $this->assertEquals($book->id, $args[1]->id);
+    }
+
+    public function test_page_content_pre_store_fires_on_page_save()
+    {
+        $page = $this->entities->page();
+
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+            return '<p>New Content!</p>';
+        };
+
+        Theme::listen(ThemeEvents::PAGE_CONTENT_PRE_STORE, $callback);
+
+        $this->asEditor();
+        $this->entities->updatePage($page, ['name' => 'My cool update page!', 'html' => '<p>Old content!</p>']);
+
+        $this->assertCount(2, $args);
+        $this->assertEquals($page->id, $args[1]->id);
+        $this->assertEquals('<p id="bkmrk-old-content%21">Old content!</p>', $args[0]);
+
+        $newPageHtml = $page->refresh()->html;
+        $this->assertEquals('<p>New Content!</p>', $newPageHtml);
+    }
+
+    public function test_page_content_pre_store_does_not_change_content_if_nothing_returned()
+    {
+        $page = $this->entities->page();
+        Theme::listen(ThemeEvents::PAGE_CONTENT_PRE_STORE, fn() => null);
+
+        $this->asEditor();
+        $this->entities->updatePage($page, ['name' => 'My cool update page!', 'html' => '<p>Old content!</p>']);
+
+        $newPageHtml = $page->refresh()->html;
+        $this->assertEquals('<p id="bkmrk-old-content%21">Old content!</p>', $newPageHtml);
+    }
+
+    public function test_page_content_post_render_fires_on_page_view()
+    {
+        $page = $this->entities->page();
+        $page->html = '<p>Old content!</p>';
+        $page->save();
+
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+            return '<p>New postrendercontentforyou!</p>';
+        };
+
+        Theme::listen(ThemeEvents::PAGE_CONTENT_POST_RENDER, $callback);
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertSee('<p>New postrendercontentforyou!</p>', false);
+
+        $this->assertCount(2, $args);
+        $this->assertEquals($page->id, $args[1]->id);
+        $this->assertEquals('<p>Old content!</p>', $args[0]);
+    }
+
+    public function test_page_content_post_render_returns_original_content_if_no_return()
+    {
+        $page = $this->entities->page();
+        $page->html = '<p>Old content!</p>';
+        $page->save();
+
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+        };
+
+        Theme::listen(ThemeEvents::PAGE_CONTENT_POST_RENDER, $callback);
+
+        $resp = $this->asEditor()->get($page->getUrl());
+        $resp->assertSee('<p>Old content!</p>', false);
+
+        $this->assertCount(2, $args);
+    }
+
+    public function test_page_include_parse()
+    {
+        /** @var Page $page */
+        /** @var Page $otherPage */
+        $page = $this->entities->page();
+        $otherPage = Page::query()->where('id', '!=', $page->id)->first();
+        $otherPage->html = '<p id="bkmrk-cool">This is a really cool section</p>';
+        $page->html = "<p>{{@{$otherPage->id}#bkmrk-cool}}</p>";
+        $page->save();
+        $otherPage->save();
+
+        $args = [];
+        $callback = function (...$eventArgs) use (&$args) {
+            $args = $eventArgs;
+
+            return '<strong>Big &amp; content replace surprise!</strong>';
+        };
+
+        Theme::listen(ThemeEvents::PAGE_INCLUDE_PARSE, $callback);
+        $resp = $this->asEditor()->get($page->getUrl());
+        $this->withHtml($resp)->assertElementContains('.page-content strong', 'Big & content replace surprise!');
+
+        $this->assertCount(4, $args);
+        $this->assertEquals($otherPage->id . '#bkmrk-cool', $args[0]);
+        $this->assertEquals('This is a really cool section', $args[1]);
+        $this->assertTrue($args[2] instanceof Page);
+        $this->assertTrue($args[3] instanceof Page);
+        $this->assertEquals($page->id, $args[2]->id);
+        $this->assertEquals($otherPage->id, $args[3]->id);
+    }
+
+    public function test_routes_register_web_and_web_auth()
+    {
+        $functionsContent = <<<'END'
+<?php
+use BookStack\Theming\ThemeEvents;
+use BookStack\Facades\Theme;
+use Illuminate\Routing\Router;
+Theme::listen(ThemeEvents::ROUTES_REGISTER_WEB, function (Router $router) {
+    $router->get('/cat', fn () => 'cat')->name('say.cat');
+});
+Theme::listen(ThemeEvents::ROUTES_REGISTER_WEB_AUTH, function (Router $router) {
+    $router->get('/dog', fn () => 'dog')->name('say.dog');
+});
+END;
+
+        $this->usingThemeFolder(function () use ($functionsContent) {
+
+            $functionsFile = theme_path('functions.php');
+            file_put_contents($functionsFile, $functionsContent);
+
+            $app = $this->createApplication();
+            /** @var \Illuminate\Routing\Router $router */
+            $router = $app->get('router');
+
+            /** @var \Illuminate\Routing\Route $catRoute */
+            $catRoute = $router->getRoutes()->getRoutesByName()['say.cat'];
+            $this->assertEquals(['web'], $catRoute->middleware());
+
+            /** @var \Illuminate\Routing\Route $dogRoute */
+            $dogRoute = $router->getRoutes()->getRoutesByName()['say.dog'];
+            $this->assertEquals(['web', 'auth'], $dogRoute->middleware());
+        });
+    }
+
+    public function test_register_views_to_insert_views_before_and_after()
+    {
+        $this->usingThemeFolder(function (string $folder) {
+            $before = 'this-is-my-before-header-string';
+            $afterA = 'this-is-my-after-header-string-a';
+            $afterB = 'this-is-my-after-header-string-b';
+            $afterC = 'this-is-my-after-header-string-{{ 1+51 }}';
+
+            $functionsContent = <<<'CONTENT'
+<?php use BookStack\Facades\Theme;
+use BookStack\Theming\ThemeEvents;
+use BookStack\Theming\ThemeViews;
+Theme::listen(ThemeEvents::THEME_REGISTER_VIEWS, function (ThemeViews $themeViews) {
+    $themeViews->renderBefore('layouts.parts.header', 'before', 4);
+    $themeViews->renderAfter('layouts.parts.header', 'after-a', 4);
+    $themeViews->renderAfter('layouts.parts.header', 'after-b', 1);
+    $themeViews->renderAfter('layouts.parts.header', 'after-c', 12);
+});
+CONTENT;
+
+            $viewDir = theme_path();
+            file_put_contents($viewDir . '/functions.php', $functionsContent);
+            file_put_contents($viewDir . '/before.blade.php', $before);
+            file_put_contents($viewDir . '/after-a.blade.php', $afterA);
+            file_put_contents($viewDir . '/after-b.blade.php', $afterB);
+            file_put_contents($viewDir . '/after-c.blade.php', $afterC);
+
+            $this->refreshApplication();
+            $this->artisan('view:clear');
+
+            $resp = $this->get('/login');
+            $resp->assertSee($before);
+            // Ensure ordering of the multiple after views
+            $resp->assertSee($afterB . "\n" . $afterA . "\nthis-is-my-after-header-string-52");
+        });
+
+        $this->artisan('view:clear');
+    }
+}

tests/Theme/LogicalThemeTest.php

@@ -0,0 +1,105 @@
+<?php
+
+namespace Tests\Theme;
+
+use BookStack\Exceptions\ThemeException;
+use BookStack\Facades\Theme;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\Artisan;
+use Tests\TestCase;
+
+class LogicalThemeTest extends TestCase
+{
+    public function test_theme_functions_file_used_and_app_boot_event_runs()
+    {
+        $this->usingThemeFolder(function ($themeFolder) {
+            $functionsFile = theme_path('functions.php');
+            app()->alias('cat', 'dog');
+            file_put_contents($functionsFile, "<?php\nTheme::listen(\BookStack\Theming\ThemeEvents::APP_BOOT, function(\$app) { \$app->alias('cat', 'dog');});");
+            $this->runWithEnv(['APP_THEME' => $themeFolder], function () {
+                $this->assertEquals('cat', $this->app->getAlias('dog'));
+            });
+        });
+    }
+
+    public function test_theme_functions_loads_errors_are_caught_and_logged()
+    {
+        $this->usingThemeFolder(function ($themeFolder) {
+            $functionsFile = theme_path('functions.php');
+            file_put_contents($functionsFile, "<?php\n\\BookStack\\Biscuits::eat();");
+
+            $this->expectException(ThemeException::class);
+            $this->expectExceptionMessageMatches('/Failed loading theme functions file at ".*?" with error: Class "BookStack\\\\Biscuits" not found/');
+
+            $this->runWithEnv(['APP_THEME' => $themeFolder], fn() => null);
+        });
+    }
+
+    public function test_add_social_driver()
+    {
+        Theme::addSocialDriver('catnet', [
+            'client_id'     => 'abc123',
+            'client_secret' => 'def456',
+        ], 'SocialiteProviders\Discord\DiscordExtendSocialite@handleTesting');
+
+        $this->assertEquals('catnet', config('services.catnet.name'));
+        $this->assertEquals('abc123', config('services.catnet.client_id'));
+        $this->assertEquals(url('/login/service/catnet/callback'), config('services.catnet.redirect'));
+
+        $loginResp = $this->get('/login');
+        $loginResp->assertSee('login/service/catnet');
+    }
+
+    public function test_add_social_driver_uses_name_in_config_if_given()
+    {
+        Theme::addSocialDriver('catnet', [
+            'client_id'     => 'abc123',
+            'client_secret' => 'def456',
+            'name'          => 'Super Cat Name',
+        ], 'SocialiteProviders\Discord\DiscordExtendSocialite@handleTesting');
+
+        $this->assertEquals('Super Cat Name', config('services.catnet.name'));
+        $loginResp = $this->get('/login');
+        $loginResp->assertSee('Super Cat Name');
+    }
+
+    public function test_add_social_driver_allows_a_configure_for_redirect_callback_to_be_passed()
+    {
+        Theme::addSocialDriver(
+            'discord',
+            [
+                'client_id'     => 'abc123',
+                'client_secret' => 'def456',
+                'name'          => 'Super Cat Name',
+            ],
+            'SocialiteProviders\Discord\DiscordExtendSocialite@handle',
+            function ($driver) {
+                $driver->with(['donkey' => 'donut']);
+            }
+        );
+
+        $loginResp = $this->get('/login/service/discord');
+        $redirect = $loginResp->headers->get('location');
+        $this->assertStringContainsString('donkey=donut', $redirect);
+    }
+
+    public function test_register_command_allows_provided_command_to_be_usable_via_artisan()
+    {
+        Theme::registerCommand(new MyCustomCommand());
+
+        Artisan::call('bookstack:test-custom-command', []);
+        $output = Artisan::output();
+
+        $this->assertStringContainsString('Command ran!', $output);
+    }
+}
+
+class MyCustomCommand extends Command
+{
+    protected $signature = 'bookstack:test-custom-command';
+
+    public function handle()
+    {
+        $this->line('Command ran!');
+    }
+}

tests/Theme/ThemeModuleTest.php

@@ -0,0 +1,254 @@
+<?php
+
+namespace Tests\Theme;
+
+use BookStack\Facades\Theme;
+use BookStack\Util\CspService;
+use Tests\TestCase;
+
+class ThemeModuleTest extends TestCase
+{
+    public function test_modules_loaded_on_theme_load()
+    {
+        $this->usingThemeFolder(function ($themeFolder) {
+            $a = theme_path('modules/a');
+            $b = theme_path('modules/b');
+            mkdir($a, 0777, true);
+            mkdir($b, 0777, true);
+
+            file_put_contents($a . '/bookstack-module.json', json_encode([
+                'name' => 'Module A',
+                'description' => 'This is module A',
+                'version' => '1.0.0',
+            ]));
+            file_put_contents($b . '/bookstack-module.json', json_encode([
+                'name' => 'Module B',
+                'description' => 'This is module B',
+                'version' => 'v0.5.0',
+            ]));
+
+            $this->refreshApplication();
+
+            $modules = Theme::getModules();
+            $this->assertCount(2, $modules);
+
+            $moduleA = $modules['a'];
+            $this->assertEquals('Module A', $moduleA->name);
+            $this->assertEquals('This is module A', $moduleA->description);
+            $this->assertEquals('1.0.0', $moduleA->version);
+        });
+    }
+
+    public function test_module_not_loaded_if_no_bookstack_module_json()
+    {
+        $this->usingThemeFolder(function ($themeFolder) {
+            $moduleDir = theme_path('/modules/a');
+            mkdir($moduleDir, 0777, true);
+            file_put_contents($moduleDir . '/module.json', '{}');
+            $this->refreshApplication();
+            $modules = Theme::getModules();
+            $this->assertCount(0, $modules);
+        });
+    }
+
+    public function test_language_text_overridable_via_module()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $translationPath = $moduleFolderPath . '/lang/en';
+            mkdir($translationPath, 0777, true);
+            file_put_contents($translationPath . '/entities.php', '<?php return ["books" => "SuperBeans"];');
+            $this->refreshApplication();
+
+            $this->asAdmin()->get('/books')->assertSee('SuperBeans');
+        });
+    }
+
+    public function test_language_files_merge_with_theme_files_with_theme_taking_precedence()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $moduleTranslationPath = $moduleFolderPath . '/lang/en';
+            mkdir($moduleTranslationPath, 0777, true);
+            file_put_contents($moduleTranslationPath . '/entities.php', '<?php return ["books" => "SuperBeans", "recently_viewed" => "ViewedBiscuits"];');
+
+            $themeTranslationPath = theme_path('lang/en');
+            mkdir($themeTranslationPath, 0777, true);
+            file_put_contents($themeTranslationPath . '/entities.php', '<?php return ["books" => "WonderBeans"];');
+            $this->refreshApplication();
+
+            $this->asAdmin()->get('/books')
+                ->assertSee('WonderBeans')
+                ->assertDontSee('SuperBeans')
+                ->assertSee('ViewedBiscuits');
+        });
+    }
+
+    public function test_view_files_overridable_from_module()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $viewsFolder = $moduleFolderPath . '/views/layouts/parts';
+            mkdir($viewsFolder, 0777, true);
+            file_put_contents($viewsFolder . '/header.blade.php', 'My custom header that says badgerriffic');
+            $this->refreshApplication();
+            $this->asAdmin()->get('/')->assertSee('badgerriffic');
+        });
+    }
+
+    public function test_theme_view_files_take_precedence_over_module_view_files()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $viewsFolder = $moduleFolderPath . '/views/layouts/parts';
+            mkdir($viewsFolder, 0777, true);
+            file_put_contents($viewsFolder . '/header.blade.php', 'My custom header that says badgerriffic');
+
+            $themeViewsFolder = theme_path('layouts/parts');
+            mkdir($themeViewsFolder, 0777, true);
+            file_put_contents($themeViewsFolder . '/header.blade.php', 'My theme header that says awesomeferrets');
+
+            $this->refreshApplication();
+            $this->asAdmin()->get('/')
+                ->assertDontSee('badgerriffic')
+                ->assertSee('awesomeferrets');
+        });
+    }
+
+    public function test_theme_and_modules_views_can_be_used_at_the_same_time()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $viewsFolder = $moduleFolderPath . '/views/layouts/parts';
+            mkdir($viewsFolder, 0777, true);
+            file_put_contents($viewsFolder . '/base-body-start.blade.php', 'My custom header that says badgerriffic');
+
+            $themeViewsFolder = theme_path('layouts/parts');
+            mkdir($themeViewsFolder, 0777, true);
+            file_put_contents($themeViewsFolder . '/base-body-end.blade.php', 'My theme header that says awesomeferrets');
+
+            $this->refreshApplication();
+            $this->asAdmin()->get('/')
+                ->assertSee('badgerriffic')
+                ->assertSee('awesomeferrets');
+        });
+    }
+
+    public function test_icons_can_be_overridden_from_module()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $iconsFolder = $moduleFolderPath . '/icons';
+            mkdir($iconsFolder, 0777, true);
+            file_put_contents($iconsFolder . '/books.svg', '<svg><path d="supericonpath"/></svg>');
+            $this->refreshApplication();
+
+            $this->asAdmin()->get('/')->assertSee('supericonpath', false);
+        });
+    }
+
+    public function test_theme_icons_take_precedence_over_module_icons()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $iconsFolder = $moduleFolderPath . '/icons';
+            mkdir($iconsFolder, 0777, true);
+            file_put_contents($iconsFolder . '/books.svg', '<svg><path d="supericonpath"/></svg>');
+            $this->refreshApplication();
+
+            $themeViewsFolder = theme_path('icons');
+            mkdir($themeViewsFolder, 0777, true);
+            file_put_contents($themeViewsFolder . '/books.svg', '<svg><path d="wackyiconpath"/></svg>');
+
+
+            $this->asAdmin()->get('/')
+                ->assertSee('wackyiconpath', false)
+                ->assertDontSee('supericonpath', false);
+        });
+    }
+
+    public function test_public_folder_can_be_provided_from_module()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $publicFolder = $moduleFolderPath . '/public';
+            mkdir($publicFolder, 0777, true);
+            $themeName = basename(dirname(dirname($moduleFolderPath)));
+            file_put_contents($publicFolder . '/test.txt', 'hellofrominsidethisfileimaghostwoooo!');
+            $this->refreshApplication();
+
+            $resp = $this->asAdmin()->get("/theme/{$themeName}/test.txt")->streamedContent();
+            $this->assertEquals('hellofrominsidethisfileimaghostwoooo!', $resp);
+        });
+    }
+
+    public function test_theme_public_files_take_precedence_over_modules()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            $publicFolder = $moduleFolderPath . '/public';
+            mkdir($publicFolder, 0777, true);
+            $themeName = basename(theme_path());
+            file_put_contents($publicFolder . '/test.txt', 'hellofrominsidethisfileimaghostwoooo!');
+
+            $themePublicFolder = theme_path('public');
+            mkdir($themePublicFolder, 0777, true);
+            file_put_contents($themePublicFolder . '/test.txt', 'imadifferentghostinsidethetheme,woooooo!');
+
+            $this->refreshApplication();
+
+            $resp = $this->asAdmin()->get("/theme/{$themeName}/test.txt")->streamedContent();
+            $this->assertEquals('imadifferentghostinsidethetheme,woooooo!', $resp);
+        });
+    }
+
+    public function test_logical_functions_file_loaded_from_module_and_it_runs_alongside_theme_functions()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            file_put_contents($moduleFolderPath . '/functions.php', "<?php\nTheme::listen(\BookStack\Theming\ThemeEvents::APP_BOOT, function(\$app) { \$app->alias('cat', 'dog');});");
+
+            $themeFunctionsFile = theme_path('functions.php');
+            file_put_contents($themeFunctionsFile, "<?php\nTheme::listen(\BookStack\Theming\ThemeEvents::APP_BOOT, function(\$app) { \$app->alias('beans', 'cheese');});");
+
+            $this->refreshApplication();
+
+            $this->assertEquals('cat', $this->app->getAlias('dog'));
+            $this->assertEquals('beans', $this->app->getAlias('cheese'));
+        });
+    }
+
+    public function test_module_can_use_theme_view_render_functions()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            file_put_contents($moduleFolderPath . '/functions.php', "<?php\n\BookStack\Facades\Theme::listen(\BookStack\Theming\ThemeEvents::THEME_REGISTER_VIEWS, fn(\$views) => \$views->renderBefore('layouts.parts.header', 'cat', 100));");
+            mkdir($moduleFolderPath . '/views', 0777, true);
+            file_put_contents($moduleFolderPath . '/views/cat.blade.php', 'mysupercatispouncy');
+
+            $this->refreshApplication();
+
+            $this->asAdmin()->get('/')->assertSee('mysupercatispouncy');
+        });
+    }
+
+    public function test_module_can_provide_head_content()
+    {
+        $this->usingModuleFolder(function (string $moduleFolderPath) {
+            mkdir($moduleFolderPath . '/head', 0777, true);
+            file_put_contents($moduleFolderPath . '/head/hello.html', '<meta name="beans" content="hello"><script>hellofromcustomscript</script>');
+
+            $this->refreshApplication();
+
+            $cspService = $this->app->make(CspService::class);
+            $nonce = $cspService->getNonce();
+
+            $resp = $this->asAdmin()->get('/');
+            $resp->assertSee('<meta name="beans" content="hello">', false);
+            $resp->assertSee('<script nonce="' . $nonce . '">hellofromcustomscript</script>', false);
+        });
+    }
+
+    protected function usingModuleFolder(callable $callback): void
+    {
+        $this->usingThemeFolder(function (string $themeFolder) use ($callback) {
+            $moduleFolderPath = theme_path('modules/test-module');
+            mkdir($moduleFolderPath, 0777, true);
+            file_put_contents($moduleFolderPath . '/bookstack-module.json', json_encode([
+                'name' => 'Test Module',
+                'description' => 'This is a test module',
+                'version' => 'v1.0.0',
+            ]));
+            $callback($moduleFolderPath);
+        });
+    }
+}

tests/Theme/VisualThemeTest.php

@@ -0,0 +1,132 @@
+<?php
+
+namespace Tests\Theme;
+
+use Illuminate\Support\Facades\File;
+use Tests\TestCase;
+
+class VisualThemeTest extends TestCase
+{
+    public function test_translation_text_can_be_overridden_via_theme()
+    {
+        $this->usingThemeFolder(function () {
+            $translationPath = theme_path('/lang/en');
+            File::makeDirectory($translationPath, 0777, true);
+
+            $customTranslations = '<?php
+            return [\'books\' => \'Sandwiches\'];
+        ';
+            file_put_contents($translationPath . '/entities.php', $customTranslations);
+
+            $homeRequest = $this->actingAs($this->users->viewer())->get('/');
+            $this->withHtml($homeRequest)->assertElementContains('header nav', 'Sandwiches');
+        });
+    }
+
+    public function test_custom_settings_category_page_can_be_added_via_view_file()
+    {
+        $content = 'My SuperCustomSettings';
+
+        $this->usingThemeFolder(function (string $folder) use ($content) {
+            $viewDir = theme_path('settings/categories');
+            mkdir($viewDir, 0777, true);
+            file_put_contents($viewDir . '/beans.blade.php', $content);
+
+            $this->asAdmin()->get('/settings/beans')->assertSee($content);
+        });
+    }
+
+    public function test_base_body_start_and_end_template_files_can_be_used()
+    {
+        $bodyStartStr = 'barry-fought-against-the-panther';
+        $bodyEndStr = 'barry-lost-his-fight-with-grace';
+
+        $this->usingThemeFolder(function (string $folder) use ($bodyStartStr, $bodyEndStr) {
+            $viewDir = theme_path('layouts/parts');
+            mkdir($viewDir, 0777, true);
+            file_put_contents($viewDir . '/base-body-start.blade.php', $bodyStartStr);
+            file_put_contents($viewDir . '/base-body-end.blade.php', $bodyEndStr);
+
+            $resp = $this->asEditor()->get('/');
+            $resp->assertSee($bodyStartStr);
+            $resp->assertSee($bodyEndStr);
+        });
+    }
+
+    public function test_export_body_start_and_end_template_files_can_be_used()
+    {
+        $bodyStartStr = 'garry-fought-against-the-panther';
+        $bodyEndStr = 'garry-lost-his-fight-with-grace';
+        $page = $this->entities->page();
+
+        $this->usingThemeFolder(function (string $folder) use ($bodyStartStr, $bodyEndStr, $page) {
+            $viewDir = theme_path('layouts/parts');
+            mkdir($viewDir, 0777, true);
+            file_put_contents($viewDir . '/export-body-start.blade.php', $bodyStartStr);
+            file_put_contents($viewDir . '/export-body-end.blade.php', $bodyEndStr);
+
+            $resp = $this->asEditor()->get($page->getUrl('/export/html'));
+            $resp->assertSee($bodyStartStr);
+            $resp->assertSee($bodyEndStr);
+        });
+    }
+
+    public function test_login_and_register_message_template_files_can_be_used()
+    {
+        $loginMessage = 'Welcome to this instance, login below you scallywag';
+        $registerMessage = 'You want to register? Enter the deets below you numpty';
+
+        $this->usingThemeFolder(function (string $folder) use ($loginMessage, $registerMessage) {
+            $viewDir = theme_path('auth/parts');
+            mkdir($viewDir, 0777, true);
+            file_put_contents($viewDir . '/login-message.blade.php', $loginMessage);
+            file_put_contents($viewDir . '/register-message.blade.php', $registerMessage);
+            $this->setSettings(['registration-enabled' => 'true']);
+
+            $this->get('/login')->assertSee($loginMessage);
+            $this->get('/register')->assertSee($registerMessage);
+        });
+    }
+
+    public function test_header_links_start_template_file_can_be_used()
+    {
+        $content = 'This is added text in the header bar';
+
+        $this->usingThemeFolder(function (string $folder) use ($content) {
+            $viewDir = theme_path('layouts/parts');
+            mkdir($viewDir, 0777, true);
+            file_put_contents($viewDir . '/header-links-start.blade.php', $content);
+            $this->setSettings(['registration-enabled' => 'true']);
+
+            $this->get('/login')->assertSee($content);
+        });
+    }
+
+    public function test_public_folder_contents_accessible_via_route()
+    {
+        $this->usingThemeFolder(function (string $themeFolderName) {
+            $publicDir = theme_path('public');
+            mkdir($publicDir, 0777, true);
+
+            $text = 'some-text ' . md5(random_bytes(5));
+            $css = "body { background-color: tomato !important; }";
+            file_put_contents("{$publicDir}/file.txt", $text);
+            file_put_contents("{$publicDir}/file.css", $css);
+            copy($this->files->testFilePath('test-image.png'), "{$publicDir}/image.png");
+
+            $resp = $this->asAdmin()->get("/theme/{$themeFolderName}/file.txt");
+            $resp->assertStreamedContent($text);
+            $resp->assertHeader('Content-Type', 'text/plain; charset=utf-8');
+            $resp->assertHeader('Cache-Control', 'max-age=86400, private');
+
+            $resp = $this->asAdmin()->get("/theme/{$themeFolderName}/image.png");
+            $resp->assertHeader('Content-Type', 'image/png');
+            $resp->assertHeader('Cache-Control', 'max-age=86400, private');
+
+            $resp = $this->asAdmin()->get("/theme/{$themeFolderName}/file.css");
+            $resp->assertStreamedContent($css);
+            $resp->assertHeader('Content-Type', 'text/css; charset=utf-8');
+            $resp->assertHeader('Cache-Control', 'max-age=86400, private');
+        });
+    }
+}