Add support for custom fonts

[carson-katri]

Adds a .custom member to Font, which will pass the value to font-family in the DOM renderer.

[ezraberch]

1. Certain characters in the font name, such as ", can break the HTML. It's probably best to sanitize the font names. Not doing so could potentially cause security issues as well.
2. From https://developer.mozilla.org/en-US/docs/Web/CSS/font-family:

Font family names containing whitespace should be quoted.

You should always include at least one generic family name in a font-family list, since there's no guarantee that any given font is available. This lets the browser select an acceptable fallback font when necessary.

[carson-katri]

I added a Sanitizer protocol to TokamakStaticHTML, and created a sanitizer for CSS strings. Please let me know if I overlooked anything in the sanitizer implementation.

[ezraberch]

Generic family names are keywords and must not be quoted.

Do we want to allow custom selection of the fallback, or multiple fonts in general? There are several ways this could be done (such as allowing the font name string to contain multiple fonts, allowing an array of font names to be used, or allow chaining of .font() to add fonts rather than replacing).

[carson-katri]

I liked the idea of chaining font modifiers, because it's compatible with SwiftUI.

Now a .font modifier on any View/Text will add to a stack of fonts, which will then be translated into CSS.

Renderers can still choose to ignore the _fontStack environment value and use font instead

Text("Hello, world!")
  .font(.custom("Marker Felt", size: 17))
  .font(.system(.body, design: .serif))

The above snippet will use Marker Felt if available in the UA, or the default serif stack if not:

font-family: 'Marker Felt', Cambria, 'Hoefler Text', Utopia, ...;

I also improved the sanitizer to sanitize identifiers and strings separately.

[MaxDesiatov]

Could this file be split by any chance to avoid the linter warning? Maybe some extensions or types moved to separate files?

[carson-katri]

Sure, I'll split it into more manageable files.

[MaxDesiatov]

Seems legit 👍

[ezraberch]

What is the purpose of this function? It isn't called anywhere. Additionally, the logic isn't correct.

Suggested change

	input.starts(with: "'") || input.starts(with: "\"")
	&& !input.dropFirst().dropLast().allSatisfy(isStringContent)
	&& input.last == input.first
	(input.starts(with: "'") || input.starts(with: "\""))
	&& input.dropFirst().dropLast().allSatisfy(isStringContent)
	&& input.last == input.first

[ezraberch]

Newline and backslash can also cause problems.

Suggested change

	char != "'" && char != "\""
	!"'\"\n\\".contains(char)

[ezraberch]

There are additional restrictions for the first character of identifiers. I'm not sure if it really matters here, but I'd at least add a comment in case this code gets reused.

[carson-katri]

I updated the sanitizers to use the CSS 2.1 grammar.

[ezraberch]

The font-family generated by this has just the custom font. There should always be a fallback, even if one isn't specified explicitly.

[carson-katri]

I added a default fallback of .body.

[MaxDesiatov]

Thanks

[ezraberch]

1. Identifier validation is still not properly handling when the first character is a number. Try adding this test:
   XCTAssertFalse(Sanitizers.CSS.validate(identifier: "1hey-there"))
2. String sanitize truncates rather than removing the offending characters. For example
   Sanitizers.CSS.sanitize(string: "'hey'there'") -> "\'hey\'"
3. Is identifier-sanitize still necessary? It only happens if identifier-validate has already succeeded, so I don't think it does anything.

[carson-katri]

Resolved 3. Do you have suggestions on how to fix the other 2? I can't figure out why its matching numbers in the identifier parsing.

[ezraberch]

1. The reason why it's matching some numbers is because it's matching this part:
   /// '[\240-\377]'
static let nonAscii: RegularExpression = #"[\240-\377]"#
   The digits which match are 0,1,2,3,4, and 7, so it looks like it's ignoring the backslashes and interpreting that as "2, 4, 0-3, 7, or 7".
   In other words, swift is not recognizing that syntax as a way to denote a range of characters.

2. What your filter is doing is finding all matches to the regex and merging them together, and ignoring the rest. You've defined a match as including start and end quotes. So 'ab'ed' has one valid match ('ab') so that's what you get. On the other hand, 'ab'c'de' has two valid matches ('ab' and 'de'), so you get 'ab''de'. Anything not part of a match is lost.
   If you remove the requirement that each match includes the start and end quotes, what you're doing should work.

[carson-katri]

Thank you for tracking those issues down! Turns out NSRegularExpression uses \0xxx to specify an Octal character, so that fixed it.

[MaxDesiatov]

@ezraberch would you have a moment to have another quick look? I personally don't have any objections for this code to be merged, but I appreciate very detailed reviews from you!

[ezraberch]

Functionality looks good now.

I'm still unsure why Identifier.sanitize and StringValue.validate exist, as they're not called anywhere (other than by tests). The Sanitizer protocol does require them, but that seems unnecessary as well.

[carson-katri]

Yeah it might be unnecessary. I just thought the functionality may be useful in the future when we are sanitizing more areas.

[MaxDesiatov]

Thanks!

[MaxDesiatov]

@ezraberch thanks again for your feedback on this and other PRs and your previous contributions! Would you be interested in joining our maintainers team? This would allow you to give review approvals for example.

[ezraberch]

Sure.