Problem/Motivation
There are a few features that'd be nice to be implemented in the module.
So I have decided to integrate them here as a single issue rather than create lots of separate issues:
- Provide a config schema to describe the data structure of the Block configuration.
- Provide better support for working with relative URLs (passing the current query strings into the request, and provide a way to automatically specify the initialDate if the "start" query is specified in the URL, and supporting multilingual installations)
- Remove trailing
'in thefullcalendar-block.html.twigtemplate - Provide a way to switch to the non-minified version of Fullcalendar assets during development.
- Expand the libraries.yml into separate declarations so that the Drupal javascript can be properly cache busted rather than have a static version of "?v=5.10.2".
- Add the option to open events in the current tab
- Since YAML is a superset of JSON, way more human friendly to use and fits well with the Drupal ecosystem, we can safely switch to using YAML for the advanced settings instead - https://yaml.org/spec/1.2/spec.html#id2759572
- Piggy back off other YAML editors if they exist to provide a better editing experience.
- Add better integration for jquery_ui_draggable and jquery_ui_resizable if they're installed.
- Add support for rendering a special details field in the dialog if it exists (same as in fullcalendar_view).
- Add support for better localization by fetching it from the current Drupal installation - setting the first day, direction and locale.
Steps to reproduce
N/A
Proposed resolution
Address issues.
Remaining tasks
Provide issue fork/patch.
User interface changes
- There's now a new "Advanced Drupal settings" field which can be used to pass advanced configurations for the dialog such as which custom field to use for the dialog popup, defaults to
desby default - If the site has
codemirror_editor,webformoryaml_editorinstalled, it'll attempt to use them to edit the advanced JSON/YAML configurations
API changes
drupalSettings.fullCalendarBlock[blockIndex].calendar_options is now an object rather than a string to make it easier for contrib modules and other Javascript to work with and manipulate.
The blockIndex is no longer a numeric ID based since it doesn't work well with Drupal cache when multiple blocks are rendered on the same page, or rendered in different ways e.g. Panels or Layout Builder. The ID is now a unique string similar to how Views' dom_id works.
Switch the DOM attribute from calendar-block-index to data-calendar-block-index since the former results in invalid HTML.
Provide access to the individual block instances under the Drupal.fullcalendar_block.instances property.
Data model changes
N/A
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | 3280301-fullcalendar_block-module-improvements-4.diff | 27.51 KB | codebymikey |
Issue fork fullcalendar_block-3280301
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
codebymikey commentedComment #4
codebymikey commentedComment #5
mingsongComment #7
mingsongThanks mate.
Appreciate your great work.
Comment #8
mingsongReleased with 1.0.0-rc3
Comment #10
codebymikey commentedAppreciate the quick turnaround to getting this merged in! I added a few more features that were useful for my installation.
Comment #11
mingsongAppreciate your fantastic work as alway.
I will have a close look at it.
As long as no security concern, I will merge it and release a new version for those new features ASAP.
Comment #12
mingsongComment #13
codebymikey commentedI've updated the PR to address the potential XSS concerns by integrating with DOMPurify to help sanitize the description text, support for the "description" field is disabled by default, so it's more of an opt-in behaviour.
I also added plugin supports for the moment and RRule fullcalendar plugins (also disabled by default). moment is particularly useful when working with locales which are unsupported by certain browsers.
The attempted XSS vulnerability may be tested with the following as a source event URL:
https://api.allorigins.win/raw?url=https://pastebin.com/raw/i5NDRZr3- the sanitization is handled byDrupal.fullcalendar_block.sanitizeDescription().Events sourced by Drupal should be safe from XSS attacks, however, I've added sanitization to all event descriptions regardless of their source just to be safe.
I also added integration with the
zodiacmedia/drupal-libraries-installerpackage as an easier way of installing the external dependencies locally without having to mirror them into a local composer repo. If integration with the plugin is unavailable, then the assets will be fetched from the https://unpkg.com CDN.Comment #14
mingsongNice work!
I don't mind relying on another third party library to sanitize text.
I am not familiar with DOMPurify. So I did a quick search, here is what I found,
https://security.snyk.io/vuln/?search=DOMPurify
I will do more research on security enhancement.
@codebymikey, keep your awesome works. Appreciate that!
Comment #16
mingsong