public function preview(Request $request, $contenttypeslug)
{
$contenttype = $this->getContentType($contenttypeslug);
$id = $request->request->get('id');
if ($id) {
$content = $this->storage()->getContent($contenttype['slug'], ['id' => $id, 'returnsingle' => true, 'status' => '!undefined']);
} else {
$content = $this->storage()->getContentObject($contenttypeslug);
}
$content->setFromPost($request->request->all(), $contenttype);
$liveEditor = $request->get('_live-editor-preview');
if (!empty($liveEditor)) {
$jsFile = (new JavaScript('js/ckeditor/ckeditor.js', 'bolt'))->setPriority(1)->setLate(false);
$cssFile = (new Stylesheet('css/liveeditor.css', 'bolt'))->setPriority(5)->setLate(false);
$snippet = (new Snippet())->setCallback('<script>window.boltIsEditing = true;</script>')->setLocation(Target::BEFORE_HEAD_JS);
$this->app['asset.queue.snippet']->add($snippet);
$this->app['asset.queue.file']->add($jsFile);
$this->app['asset.queue.file']->add($cssFile);
}
// Then, select which template to use, based on our 'cascading templates rules'
$template = $this->templateChooser()->record($content);
// Make sure we can also access it as {{ page.title }} for pages, etc. We set these in the global scope,
// So that they're also available in menu's and templates rendered by extensions.
$globals = ['record' => $content, $contenttype['singular_slug'] => $content];
$response = $this->render($template, [], $globals);
// Chrome (unlike Firefox and Internet Explorer) has a feature that helps prevent
// XSS attacks for uncareful people. It blocks embeds, links and src's that have
// a URL that's also in the request. In Bolt we wish to enable this type of embeds,
// because otherwise Youtube, Vimeo and Google Maps embeds will simply not show,
// causing confusion for the editor, because they don't know what's happening.
// Is this a security concern, you may ask? I believe it cannot be exploited:
// - Disabled, the behaviour on Chrome matches Firefox and IE.
// - The user must be logged in to see the 'preview' page at all.
// - Our CSRF-token ensures that the user will only see their own posted preview.
// @see: http://security.stackexchange.com/questions/53474/is-chrome-completely-secure-against-reflected-xss
$response->headers->set('X-XSS-Protection', 0);
return $response;
}