feat: FilePond production hardening — extension-based validation, server-side size limits (2GB), annexe validation, drop accept attributes, FilePond file styling

app/public/admin/add.php

@@ -54,8 +54,8 @@ function wasSelected($key, $value) {
 
 $isAdmin = true;
 $bodyClass = 'admin-body';
-$extraCss  = ['/assets/css/form.css', '/assets/css/filepond.min.css'];
-$extraJs   = ['/assets/js/filepond.min.js', '/assets/js/file-upload-filepond.js', '/assets/js/beforeunload-guard.js'];
+$extraCss  = ['/assets/css/form.css', '/assets/css/filepond.min.css', '/assets/css/filepond-plugin-image-preview.min.css'];
+$extraJs   = ['/assets/js/filepond.min.js', '/assets/js/filepond-plugin-file-validate-type.min.js', '/assets/js/filepond-plugin-file-validate-size.min.js', '/assets/js/filepond-plugin-image-preview.min.js', '/assets/js/filepond-plugin-image-exif-orientation.min.js', '/assets/js/file-upload-filepond.js', '/assets/js/beforeunload-guard.js'];
 require_once APP_ROOT . '/templates/head.php';
 include APP_ROOT . '/templates/header.php';
 include APP_ROOT . '/templates/admin/add.php';

app/public/admin/edit.php

@@ -39,8 +39,8 @@ try {
 }
 
 $isAdmin = true; $bodyClass = 'admin-body';
-$extraCss  = ['/assets/css/form.css', '/assets/css/filepond.min.css'];
-$extraJs   = ['/assets/js/filepond.min.js', '/assets/js/file-upload-filepond.js', '/assets/js/beforeunload-guard.js'];
+$extraCss  = ['/assets/css/form.css', '/assets/css/filepond.min.css', '/assets/css/filepond-plugin-image-preview.min.css'];
+$extraJs   = ['/assets/js/filepond.min.js', '/assets/js/filepond-plugin-file-validate-type.min.js', '/assets/js/filepond-plugin-file-validate-size.min.js', '/assets/js/filepond-plugin-image-preview.min.js', '/assets/js/filepond-plugin-image-exif-orientation.min.js', '/assets/js/file-upload-filepond.js', '/assets/js/beforeunload-guard.js'];
 require_once APP_ROOT . '/templates/head.php';
 include APP_ROOT . '/templates/header.php';
 include APP_ROOT . '/templates/admin/edit.php';

app/public/assets/css/filepond-plugin-image-preview.min.css

@@ -0,0 +1,8 @@
+/*!
+ * FilePondPluginImagePreview 4.6.12
+ * Licensed under MIT, https://opensource.org/licenses/MIT/
+ * Please visit https://pqina.nl/filepond/ for details.
+ */
+
+/* eslint-disable */
+.filepond--image-preview-markup{position:absolute;left:0;top:0}.filepond--image-preview-wrapper{z-index:2}.filepond--image-preview-overlay{display:block;position:absolute;left:0;top:0;width:100%;min-height:5rem;max-height:7rem;margin:0;opacity:0;z-index:2;pointer-events:none;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.filepond--image-preview-overlay svg{width:100%;height:auto;color:inherit;max-height:inherit}.filepond--image-preview-overlay-idle{mix-blend-mode:multiply;color:rgba(40,40,40,.85)}.filepond--image-preview-overlay-success{mix-blend-mode:normal;color:#369763}.filepond--image-preview-overlay-failure{mix-blend-mode:normal;color:#c44e47}@supports (-webkit-marquee-repetition:infinite) and ((-o-object-fit:fill) or (object-fit:fill)){.filepond--image-preview-overlay-idle{mix-blend-mode:normal}}.filepond--image-preview-wrapper{-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;position:absolute;left:0;top:0;right:0;height:100%;margin:0;border-radius:.45em;overflow:hidden;background:rgba(0,0,0,.01)}.filepond--image-preview{position:absolute;left:0;top:0;z-index:1;display:flex;align-items:center;height:100%;width:100%;pointer-events:none;background:#222;will-change:transform,opacity}.filepond--image-clip{position:relative;overflow:hidden;margin:0 auto}.filepond--image-clip[data-transparency-indicator=grid] canvas,.filepond--image-clip[data-transparency-indicator=grid] img{background-color:#fff;background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg' fill='%23eee'%3E%3Cpath d='M0 0h50v50H0M50 50h50v50H50'/%3E%3C/svg%3E");background-size:1.25em 1.25em}.filepond--image-bitmap,.filepond--image-vector{position:absolute;left:0;top:0;will-change:transform}.filepond--root[data-style-panel-layout~=integrated] .filepond--image-preview-wrapper{border-radius:0}.filepond--root[data-style-panel-layout~=integrated] .filepond--image-preview{height:100%;display:flex;justify-content:center;align-items:center}.filepond--root[data-style-panel-layout~=circle] .filepond--image-preview-wrapper{border-radius:99999rem}.filepond--root[data-style-panel-layout~=circle] .filepond--image-preview-overlay{top:auto;bottom:0;-webkit-transform:scaleY(-1);transform:scaleY(-1)}.filepond--root[data-style-panel-layout~=circle] .filepond--file .filepond--file-action-button[data-align*=bottom]:not([data-align*=center]){margin-bottom:.325em}.filepond--root[data-style-panel-layout~=circle] .filepond--file [data-align*=left]{left:calc(50% - 3em)}.filepond--root[data-style-panel-layout~=circle] .filepond--file [data-align*=right]{right:calc(50% - 3em)}.filepond--root[data-style-panel-layout~=circle] .filepond--progress-indicator[data-align*=bottom][data-align*=left],.filepond--root[data-style-panel-layout~=circle] .filepond--progress-indicator[data-align*=bottom][data-align*=right]{margin-bottom:.5125em}.filepond--root[data-style-panel-layout~=circle] .filepond--progress-indicator[data-align*=bottom][data-align*=center]{margin-top:0;margin-bottom:.1875em;margin-left:.1875em}

app/public/assets/css/form.css

@@ -546,24 +546,41 @@
   margin-bottom: 0;
 }
 
+/* Drop area panel */
 .filepond--panel-root {
   background: var(--bg-secondary);
-  border: 1px dashed var(--border-primary);
+  border: 2px dashed var(--border-primary);
+  border-radius: var(--radius);
 }
 
+/* Drop label text */
 .filepond--drop-label {
   color: var(--text-secondary);
   font-size: var(--step--1);
 }
 
+/* "Browse" link */
 .filepond--label-action {
   color: var(--accent-primary);
-  text-decoration: underline;
+  text-decoration-color: var(--accent-primary);
 }
 
+/* File item — keep white for contrast against drop area */
 .filepond--item-panel {
-  background: var(--bg-secondary);
+  background-color: var(--bg-primary);
   border: 1px solid var(--border-primary);
+  border-radius: var(--radius);
+}
+
+/* File item text — dark on white */
+.filepond--file {
+  color: var(--text-primary);
+  background-color: var(--bg-tertiary);
+  border: 1px solid var(--accent-primary);
+}
+
+.filepond--file .filepond--file-status {
+  color: var(--text-secondary);
 }
 
 .filepond--file-info-main {
@@ -574,12 +591,41 @@
   color: var(--text-tertiary);
 }
 
+/* Action buttons — dark background, white icons */
 .filepond--file-action-button {
-  color: var(--text-secondary);
+  cursor: pointer;
+  color: #ffffff;
+  background-color: rgba(0, 0, 0, 0.45);
 }
 
-.filepond--file-action-button:hover {
-  color: var(--error);
+.filepond--file-action-button:hover,
+.filepond--file-action-button:focus {
+  color: #ffffff;
+  background-color: rgba(0, 0, 0, 0.65);
+  box-shadow: 0 0 0 0.125em rgba(0, 0, 0, 0.2);
+}
+
+/* Progress indicator */
+.filepond--progress-indicator {
+  color: #ffffff;
+}
+
+/* Drag-over highlight */
+.filepond--hopper[data-hopper-state="drag-over"] .filepond--panel-root {
+  border-color: var(--accent-primary);
+  background: var(--accent-muted);
+}
+
+/* Error state */
+[data-filepond-item-state*="error"] .filepond--item-panel,
+[data-filepond-item-state*="invalid"] .filepond--item-panel {
+  background-color: var(--error-muted-bg);
+  border-color: var(--error);
+}
+
+/* Processing complete */
+[data-filepond-item-state="processing-complete"] .filepond--item-panel {
+  background-color: var(--bg-primary);
 }
 
 /* ── Existing-files list (edit form) ─────────────────────────────────────── */
@@ -1075,7 +1121,7 @@ a.recap-file-name:hover {
   background: var(--bg-primary);
   border: 1px solid var(--border-primary);
   border-radius: var(--radius);
-  box-shadow: 0 4px 16px rgba(0,0,0,0.12);
+  box-shadow: 0 4px 16px rgba(0, 0, 0, 0.12);
   max-height: 220px;
   overflow-y: auto;
   display: none;

app/public/assets/js/file-upload-filepond.js

@@ -9,44 +9,87 @@
  *   3. storeAsFile: true preserves native multipart form submission.
  *      Server receives files via $_FILES indexed by each input's name attribute
  *      (e.g. queue_file[tfe][], queue_file[video][], etc.).
- *   4. Validation rules are derived from ALLOWED_BY_TYPE (same as before).
+ *   4. Type + size validation: via native FilePond options + FileValidateType/Size plugins.
+ *      beforeAddFile is used ONLY for hybrid validation (e.g. per-type size limits)
+ *      and returns true/false per the FilePond API contract.
+ *   5. Order serialization: hidden inputs track file order from pond.getFiles().
+ *   6. HTMX cleanup: generic destroyFilePondsIn(target) for all swaps, not just known IDs.
  */
 
 (function () {
 	"use strict";
 
 	// ── Per-queue-type configuration ────────────────────────────────────
+	// Single source of truth for validation. These specificatons are also
+	// reflected in the PHP-synthesised accept attributes on inputs.
 
 	var QUEUE_CONFIG = {
 		tfe: {
-			exts: ["jpg","jpeg","png","gif","webp","pdf","mp4","webm","ogv","mov","mp3","ogg","oga","wav","flac","aac","m4a","vtt","zip","tar","gz","tgz"],
-			maxSize: function (f) { return (/\.pdf$/i.test(f.name) ? 100 : 500) * 1024 * 1024; },
-			multiple: true,
+			acceptedFileTypes: [
+				"image/jpeg", "image/png", "image/gif", "image/webp",
+				"application/pdf",
+				"video/mp4", "video/webm", "video/ogg", "video/quicktime",
+				"audio/mpeg", "audio/ogg", "audio/flac", "audio/x-wav", "audio/aac", "audio/mp4",
+				"text/vtt",
+				"application/zip", "application/x-tar", "application/gzip"
+			],
+			labelFileTypeNotAllowed: "Format non accepté",
+			fileValidateTypeLabelExpectedTypes: "PDF, Images, Vidéos, Audio, VTT, Archives",
+			maxFileSize: "500MB",
+			labelMaxFileSizeExceeded: "Fichier trop volumineux",
+			labelMaxFileSize: "Taille max: {filesize}",
+			allowMultiple: true,
+			// Per-extension size limits: certain types get higher caps.
+			perExtensionMaxSize: {
+				pdf: "100MB",
+				mp4: "2GB", webm: "2GB", ogv: "2GB", mov: "2GB",
+				mp3: "2GB", ogg: "2GB", oga: "2GB", wav: "2GB", flac: "2GB", aac: "2GB", m4a: "2GB"
+			}
 		},
 		video: {
-			exts: ["mp4","webm","ogv","mov"],
-			maxSize: function () { return 500 * 1024 * 1024; },
-			multiple: true,
+			acceptedFileTypes: ["video/mp4", "video/webm", "video/ogg", "video/quicktime"],
+			labelFileTypeNotAllowed: "Format non accepté",
+			fileValidateTypeLabelExpectedTypes: "MP4, WebM, OGV, MOV",
+			maxFileSize: "500MB",
+			labelMaxFileSizeExceeded: "Fichier trop volumineux",
+			labelMaxFileSize: "Taille max: {filesize}",
+			allowMultiple: true
 		},
 		audio: {
-			exts: ["mp3","ogg","oga","wav","flac","aac","m4a"],
-			maxSize: function () { return 500 * 1024 * 1024; },
-			multiple: true,
+			acceptedFileTypes: ["audio/mpeg", "audio/ogg", "audio/flac", "audio/x-wav", "audio/aac", "audio/mp4"],
+			labelFileTypeNotAllowed: "Format non accepté",
+			fileValidateTypeLabelExpectedTypes: "MP3, OGG, FLAC, WAV, AAC, M4A",
+			maxFileSize: "500MB",
+			labelMaxFileSizeExceeded: "Fichier trop volumineux",
+			labelMaxFileSize: "Taille max: {filesize}",
+			allowMultiple: true
 		},
 		annexe: {
-			exts: ["pdf","zip","tar","gz","tgz"],
-			maxSize: function () { return 500 * 1024 * 1024; },
-			multiple: true,
+			acceptedFileTypes: ["application/pdf", "application/zip", "application/x-tar", "application/gzip"],
+			labelFileTypeNotAllowed: "Format non accepté",
+			fileValidateTypeLabelExpectedTypes: "PDF, ZIP, TAR, GZ",
+			maxFileSize: "500MB",
+			labelMaxFileSizeExceeded: "Fichier trop volumineux",
+			labelMaxFileSize: "Taille max: {filesize}",
+			allowMultiple: true
 		},
 		cover: {
-			exts: ["jpg","jpeg","png","webp"],
-			maxSize: function () { return 20 * 1024 * 1024; },
-			multiple: false,
+			acceptedFileTypes: ["image/jpeg", "image/png", "image/webp"],
+			labelFileTypeNotAllowed: "Seulement JPG, PNG ou WEBP",
+			fileValidateTypeLabelExpectedTypes: "JPG, PNG, WEBP",
+			maxFileSize: "20MB",
+			labelMaxFileSizeExceeded: "Fichier trop volumineux",
+			labelMaxFileSize: "Taille max: {filesize}",
+			allowMultiple: false
 		},
 		note_intention: {
-			exts: ["pdf"],
-			maxSize: function () { return 100 * 1024 * 1024; },
-			multiple: false,
+			acceptedFileTypes: ["application/pdf"],
+			labelFileTypeNotAllowed: "Seulement PDF",
+			fileValidateTypeLabelExpectedTypes: "PDF",
+			maxFileSize: "100MB",
+			labelMaxFileSizeExceeded: "Fichier trop volumineux",
+			labelMaxFileSize: "Taille max: {filesize}",
+			allowMultiple: false
 		},
 	};
 
@@ -61,51 +104,119 @@
 		"note_intention":     "note_intention",
 	};
 
-	function ext(fn) {
-		var m = fn.match(/\.([^./]+)$/);
+	// ── Helpers ───────────────────────────────────────────────────────────
+
+	/**
+	 * Parse a size string like "500MB" or "2GB" to bytes.
+	 */
+	function parseSize(str) {
+		var m = str.match(/^(\d+(?:\.\d+)?)\s*(B|KB|MB|GB|TB)$/i);
+		if (!m) return 0;
+		var val = parseFloat(m[1]);
+		var unit = m[2].toUpperCase();
+		var mult = {B: 1, KB: 1024, MB: 1024*1024, GB: 1024*1024*1024, TB: 1024*1024*1024*1024};
+		return Math.round(val * (mult[unit] || 1));
+	}
+
+	/**
+	 * Get extension from filename (lowercase).
+	 */
+	function getExt(name) {
+		var m = name.match(/\.([^./]+)$/);
 		return m ? m[1].toLowerCase() : "";
 	}
 
+	// ── Order serialization ───────────────────────────────────────────────
+
+	/**
+	 * Create/update a hidden input that serializes the file order for a queue.
+	 * Name: queue_order[<queueType>]
+	 * Value: pipe-separated list of file names.
+	 */
+	function syncOrderInput(queueType, pond) {
+		var form = pond.element ? pond.element.closest("form") : null;
+		if (!form) return;
+
+		var orderInput = form.querySelector("input[name='queue_order[" + queueType + "]']");
+		var files = pond.getFiles();
+		if (files.length === 0) {
+			if (orderInput) orderInput.remove();
+			return;
+		}
+
+		var names = [];
+		for (var i = 0; i < files.length; i++) {
+			names.push(files[i].filename || files[i].file.name);
+		}
+
+		if (!orderInput) {
+			orderInput = document.createElement("input");
+			orderInput.type = "hidden";
+			orderInput.name = "queue_order[" + queueType + "]";
+			form.appendChild(orderInput);
+		}
+		orderInput.value = names.join("|");
+	}
+
 	// ── FilePond configuration per queue type ─────────────────────────────
 
 	function buildFilePondOptions(queueType, input) {
 		var cfg = QUEUE_CONFIG[queueType];
 		if (!cfg) return null;
 
-		var mimeMap = {
-			jpg: "image/jpeg", jpeg: "image/jpeg", png: "image/png",
-			gif: "image/gif", webp: "image/webp",
-			pdf: "application/pdf",
-			mp4: "video/mp4", webm: "video/webm", ogv: "video/ogg", mov: "video/quicktime",
-			mp3: "audio/mpeg", ogg: "audio/ogg", oga: "audio/ogg", wav: "audio/wav",
-			flac: "audio/flac", aac: "audio/aac", m4a: "audio/mp4",
-			vtt: "text/vtt",
-			zip: "application/zip", tar: "application/x-tar", gz: "application/gzip", tgz: "application/gzip",
-		};
-		var accepted = cfg.exts.map(function(e) { return mimeMap[e] || ("." + e); });
+		// Per-type max size overrides (for TFE: PDF=100MB, video/audio=2GB)
+		var perExtMax = cfg.perExtensionMaxSize || {};
 
 		return {
-			allowMultiple: cfg.multiple,
+			allowMultiple: cfg.allowMultiple,
 			allowReorder: true,
+			allowProcess: false,
 			storeAsFile: true,
+
+			// ── Native FilePond validation ──
+			acceptedFileTypes: cfg.acceptedFileTypes,
+			labelFileTypeNotAllowed: cfg.labelFileTypeNotAllowed,
+			fileValidateTypeLabelExpectedTypes: cfg.fileValidateTypeLabelExpectedTypes,
+			maxFileSize: cfg.maxFileSize,
+			labelMaxFileSizeExceeded: cfg.labelMaxFileSizeExceeded,
+			labelMaxFileSize: cfg.labelMaxFileSize,
+
+			// ── French labels ──
 			labelIdle: "Glissez-déposez vos fichiers ou <span class='filepond--label-action'>Parcourir</span>",
-			acceptedFileTypes: accepted,
-			labelFileTypeNotAllowed: "Type de fichier non accepté",
-			fileValidateTypeLabelExpectedTypes: "Types acceptés : " + cfg.exts.map(function(e) { return "." + e; }).join(", "),
-			maxFileSize: function () { return "500MB"; },
+			labelFileProcessing: "Chargement en cours",
+			labelFileProcessingComplete: "Chargement terminé",
+			labelFileProcessingAborted: "Chargement annulé",
+			labelFileProcessingError: "Erreur lors du chargement",
+			labelTapToCancel: "Appuyez pour annuler",
+			labelTapToRetry: "Appuyez pour réessayer",
+			labelTapToUndo: "Appuyez pour annuler",
+			labelButtonRemoveItem: "Supprimer",
+			labelButtonAbortItemLoad: "Annuler",
+			labelButtonRetryItemLoad: "Réessayer",
+			labelButtonProcessItem: "Charger",
+
+			// ── Per-extension size validation (hybrid: FilePond validates global maxFileSize,
+			//     beforeAddFile enforces per-extension limits via false return) ──
 			beforeAddFile: function (item) {
 				var f = item.file;
-				var max = cfg.maxSize(f);
-				if (f.size > max) {
-					var maxMb = Math.round(max / 1024 / 1024);
-					return {
-						status: "error",
-						main: "Fichier trop volumineux (" + (f.size / 1024 / 1024).toFixed(1) + " MB)",
-						sub: "Maximum : " + maxMb + " MB."
-					};
+				var ext = getExt(f.name);
+				if (ext && perExtMax[ext]) {
+					var limit = parseSize(perExtMax[ext]);
+					if (limit > 0 && f.size > limit) {
+						// Return false per FilePond API contract — the FileValidateSize
+						// plugin sets the error state via maxFileSize, but per-extension
+						// cap violations must be rejected here.
+						return false;
+					}
 				}
 				return true;
 			},
+
+			// ── Order serialization on add/remove/reorder ──
+			onaddfile: function () { syncOrderInput(queueType, this); },
+			onremovefile: function () { syncOrderInput(queueType, this); },
+			onreorderfiles: function () { syncOrderInput(queueType, this); },
+			onupdatefiles: function () { syncOrderInput(queueType, this); },
 		};
 	}
 
@@ -121,15 +232,12 @@
 	 */
 	window.XamxamInitFilePonds = function () {
 		document.querySelectorAll(".tfe-file-picker").forEach(function (input) {
-			// Skip already upgraded inputs
-			if (input.dataset.filepondUpgraded) return;
-			// Skip if input is inside an existing FilePond root
-			if (input.closest(".filepond--root")) return;
+			// Canonical duplicate check: FilePond.find() is the authoritative source
+			if (FilePond.find(input)) return;
 
 			var id = input.id;
 			var queueType = INPUT_ID_TO_TYPE[id];
 			if (!queueType) {
-				// Try data-queue-type on the input itself
 				queueType = input.dataset.queueType || null;
 			}
 			if (!queueType) return;
@@ -137,56 +245,77 @@
 			var options = buildFilePondOptions(queueType, input);
 			if (!options) return;
 
-			// Preserve the input's original name for form submission
 			options.name = input.getAttribute("name") || input.name || "";
 
 			var pond = FilePond.create(input, options);
-			input.dataset.filepondUpgraded = "1";
 
-			// Track by id for cleanup
 			var key = id || queueType;
 			_ponds[key] = pond;
+
+			// Initial order serialization (for existing files in edit mode — none expected)
+			syncOrderInput(queueType, pond);
 		});
-	}
+	};
 
 	/**
 	 * Destroy FilePond instances inside a given container element.
-	 * Used before HTMX swaps to avoid leaks.
+	 * Generic: handles ANY HTMX swap target, not just known IDs.
 	 */
 	function destroyFilePondsIn(el) {
 		if (!el) return;
-		// Find FilePond-upgraded inputs inside this element
-		el.querySelectorAll(".tfe-file-picker[data-filepond-upgraded]").forEach(function (input) {
-			// Destroy the FilePond instance if it exists
-			var id = input.id;
-			var pond = id ? _ponds[id] : null;
+		el.querySelectorAll(".tfe-file-picker").forEach(function (input) {
+			var pond = FilePond.find(input);
 			if (pond) {
-				try { pond.destroy(); } catch (_) {}
-				delete _ponds[id];
+				try {
+					// Remove order input before destroying
+					var form = input.closest("form");
+					if (form) {
+						var id = input.id;
+						var queueType = INPUT_ID_TO_TYPE[id] || input.dataset.queueType || null;
+						if (queueType) {
+							var orderInput = form.querySelector("input[name='queue_order[" + queueType + "]']");
+							if (orderInput) orderInput.remove();
+						}
+					}
+					pond.destroy();
+				} catch (_) {}
+			}
+			// Clean up tracking
+			if (input.id && _ponds[input.id]) {
+				delete _ponds[input.id];
 			}
-			delete input.dataset.filepondUpgraded;
 		});
 	}
 
 	// ── HTMX integration ─────────────────────────────────────────────────
 
 	/**
-	 * Before HTMX swaps a slot element that may contain FilePond instances,
-	 * destroy them to avoid leaks and file-state conflicts.
+	 * Generic beforeSwap handler: destroy FilePonds in ANY swapped target.
+	 * This prevents detached FilePond instances from leaking listeners.
 	 */
 	function onHtmxBeforeSwap(evt) {
 		var target = evt.detail.target;
-		if (!target) return;
-		var id = target.id || "";
-		// Only care about slot elements that may contain FilePond file inputs
-		if (id === "slot-video" || id === "slot-audio" || id === "annexes-input-block" || id === "format-extras-block") {
+		if (target) {
 			destroyFilePondsIn(target);
 		}
 	}
 
 	// ── Bootstrap ─────────────────────────────────────────────────────────
 
-	// Hook into HTMX events if htmx is loaded
+	// Register FilePond plugins (idempotent)
+	if (typeof FilePondPluginFileValidateType !== "undefined") {
+		FilePond.registerPlugin(FilePondPluginFileValidateType);
+	}
+	if (typeof FilePondPluginFileValidateSize !== "undefined") {
+		FilePond.registerPlugin(FilePondPluginFileValidateSize);
+	}
+	if (typeof FilePondPluginImagePreview !== "undefined") {
+		FilePond.registerPlugin(FilePondPluginImagePreview);
+	}
+	if (typeof FilePondPluginImageExifOrientation !== "undefined") {
+		FilePond.registerPlugin(FilePondPluginImageExifOrientation);
+	}
+
 	if (window.htmx) {
 		window.htmx.on("htmx:beforeSwap", onHtmxBeforeSwap);
 		window.htmx.on("htmx:afterSwap", function () {
@@ -194,7 +323,6 @@
 		});
 	}
 
-	// Initialise on DOM ready
 	if (document.readyState === "loading") {
 		document.addEventListener("DOMContentLoaded", function () {
 			window.XamxamInitFilePonds();
@@ -208,7 +336,6 @@
 		window.__xamxamDirty = true;
 	});
 
-	// Clean dirty flag on form submit (matches beforeunload-guard.js)
 	document.addEventListener("submit", function (e) {
 		var form = e.target;
 		if (form && form.hasAttribute && form.hasAttribute("data-beforeunload-guard")) {

app/public/assets/js/filepond-plugin-file-validate-size.min.js

@@ -0,0 +1,9 @@
+/*!
+ * FilePondPluginFileValidateSize 2.2.8
+ * Licensed under MIT, https://opensource.org/licenses/MIT/
+ * Please visit https://pqina.nl/filepond/ for details.
+ */
+
+/* eslint-disable */
+
+!function(e,i){"object"==typeof exports&&"undefined"!=typeof module?module.exports=i():"function"==typeof define&&define.amd?define(i):(e=e||self).FilePondPluginFileValidateSize=i()}(this,function(){"use strict";var e=function(e){var i=e.addFilter,E=e.utils,l=E.Type,_=E.replaceInString,n=E.toNaturalFileSize;return i("ALLOW_HOPPER_ITEM",function(e,i){var E=i.query;if(!E("GET_ALLOW_FILE_SIZE_VALIDATION"))return!0;var l=E("GET_MAX_FILE_SIZE");if(null!==l&&e.size>l)return!1;var _=E("GET_MIN_FILE_SIZE");return!(null!==_&&e.size<_)}),i("LOAD_FILE",function(e,i){var E=i.query;return new Promise(function(i,l){if(!E("GET_ALLOW_FILE_SIZE_VALIDATION"))return i(e);var I=E("GET_FILE_VALIDATE_SIZE_FILTER");if(I&&!I(e))return i(e);var t=E("GET_MAX_FILE_SIZE");if(null!==t&&e.size>t)l({status:{main:E("GET_LABEL_MAX_FILE_SIZE_EXCEEDED"),sub:_(E("GET_LABEL_MAX_FILE_SIZE"),{filesize:n(t,".",E("GET_FILE_SIZE_BASE"),E("GET_FILE_SIZE_LABELS",E))})}});else{var L=E("GET_MIN_FILE_SIZE");if(null!==L&&e.size<L)l({status:{main:E("GET_LABEL_MIN_FILE_SIZE_EXCEEDED"),sub:_(E("GET_LABEL_MIN_FILE_SIZE"),{filesize:n(L,".",E("GET_FILE_SIZE_BASE"),E("GET_FILE_SIZE_LABELS",E))})}});else{var a=E("GET_MAX_TOTAL_FILE_SIZE");if(null!==a)if(E("GET_ACTIVE_ITEMS").reduce(function(e,i){return e+i.fileSize},0)>a)return void l({status:{main:E("GET_LABEL_MAX_TOTAL_FILE_SIZE_EXCEEDED"),sub:_(E("GET_LABEL_MAX_TOTAL_FILE_SIZE"),{filesize:n(a,".",E("GET_FILE_SIZE_BASE"),E("GET_FILE_SIZE_LABELS",E))})}});i(e)}}})}),{options:{allowFileSizeValidation:[!0,l.BOOLEAN],maxFileSize:[null,l.INT],minFileSize:[null,l.INT],maxTotalFileSize:[null,l.INT],fileValidateSizeFilter:[null,l.FUNCTION],labelMinFileSizeExceeded:["File is too small",l.STRING],labelMinFileSize:["Minimum file size is {filesize}",l.STRING],labelMaxFileSizeExceeded:["File is too large",l.STRING],labelMaxFileSize:["Maximum file size is {filesize}",l.STRING],labelMaxTotalFileSizeExceeded:["Maximum total size exceeded",l.STRING],labelMaxTotalFileSize:["Maximum total file size is {filesize}",l.STRING]}}};return"undefined"!=typeof window&&void 0!==window.document&&document.dispatchEvent(new CustomEvent("FilePond:pluginloaded",{detail:e})),e});

app/public/assets/js/filepond-plugin-file-validate-type.min.js

@@ -0,0 +1,9 @@
+/*!
+ * FilePondPluginFileValidateType 1.2.9
+ * Licensed under MIT, https://opensource.org/licenses/MIT/
+ * Please visit https://pqina.nl/filepond/ for details.
+ */
+
+/* eslint-disable */
+
+!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e=e||self).FilePondPluginFileValidateType=t()}(this,function(){"use strict";var e=function(e){var t=e.addFilter,n=e.utils,i=n.Type,T=n.isString,E=n.replaceInString,l=n.guesstimateMimeType,o=n.getExtensionFromFilename,r=n.getFilenameFromURL,u=function(e,t){return e.some(function(e){return/\*$/.test(e)?(n=e,(/^[^/]+/.exec(t)||[]).pop()===n.slice(0,-2)):e===t;var n})},a=function(e,t,n){if(0===t.length)return!0;var i=function(e){var t="";if(T(e)){var n=r(e),i=o(n);i&&(t=l(i))}else t=e.type;return t}(e);return n?new Promise(function(T,E){n(e,i).then(function(e){u(t,e)?T():E()}).catch(E)}):u(t,i)};return t("SET_ATTRIBUTE_TO_OPTION_MAP",function(e){return Object.assign(e,{accept:"acceptedFileTypes"})}),t("ALLOW_HOPPER_ITEM",function(e,t){var n=t.query;return!n("GET_ALLOW_FILE_TYPE_VALIDATION")||a(e,n("GET_ACCEPTED_FILE_TYPES"))}),t("LOAD_FILE",function(e,t){var n=t.query;return new Promise(function(t,i){if(n("GET_ALLOW_FILE_TYPE_VALIDATION")){var T=n("GET_ACCEPTED_FILE_TYPES"),l=n("GET_FILE_VALIDATE_TYPE_DETECT_TYPE"),o=a(e,T,l),r=function(){var e,t=T.map((e=n("GET_FILE_VALIDATE_TYPE_LABEL_EXPECTED_TYPES_MAP"),function(t){return null!==e[t]&&(e[t]||t)})).filter(function(e){return!1!==e}),l=t.filter(function(e,n){return t.indexOf(e)===n});i({status:{main:n("GET_LABEL_FILE_TYPE_NOT_ALLOWED"),sub:E(n("GET_FILE_VALIDATE_TYPE_LABEL_EXPECTED_TYPES"),{allTypes:l.join(", "),allButLastType:l.slice(0,-1).join(", "),lastType:l[l.length-1]})}})};if("boolean"==typeof o)return o?t(e):r();o.then(function(){t(e)}).catch(r)}else t(e)})}),{options:{allowFileTypeValidation:[!0,i.BOOLEAN],acceptedFileTypes:[[],i.ARRAY],labelFileTypeNotAllowed:["File is of invalid type",i.STRING],fileValidateTypeLabelExpectedTypes:["Expects {allButLastType} or {lastType}",i.STRING],fileValidateTypeLabelExpectedTypesMap:[{},i.OBJECT],fileValidateTypeDetectType:[null,i.FUNCTION]}}};return"undefined"!=typeof window&&void 0!==window.document&&document.dispatchEvent(new CustomEvent("FilePond:pluginloaded",{detail:e})),e});

app/public/assets/js/filepond-plugin-image-exif-orientation.min.js

@@ -0,0 +1,9 @@
+/*!
+ * FilePondPluginImageExifOrientation 1.0.11
+ * Licensed under MIT, https://opensource.org/licenses/MIT/
+ * Please visit https://pqina.nl/filepond/ for details.
+ */
+
+/* eslint-disable */
+
+!function(A,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(A=A||self).FilePondPluginImageExifOrientation=e()}(this,function(){"use strict";var A=65496,e=65505,n=1165519206,t=18761,i=274,r=65280,o=function(A,e){var n=arguments.length>2&&void 0!==arguments[2]&&arguments[2];return A.getUint16(e,n)},a=function(A,e){var n=arguments.length>2&&void 0!==arguments[2]&&arguments[2];return A.getUint32(e,n)},u="undefined"!=typeof window&&void 0!==window.document,d=void 0,f=u?new Image:{};f.onload=function(){return d=f.naturalWidth>f.naturalHeight},f.src="data:image/jpg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/4QA6RXhpZgAATU0AKgAAAAgAAwESAAMAAAABAAYAAAEoAAMAAAABAAIAAAITAAMAAAABAAEAAAAAAAD/2wBDAP//////////////////////////////////////////////////////////////////////////////////////wAALCAABAAIBASIA/8QAJgABAAAAAAAAAAAAAAAAAAAAAxABAAAAAAAAAAAAAAAAAAAAAP/aAAgBAQAAPwBH/9k=";var l=function(u){var f=u.addFilter,l=u.utils,c=l.Type,g=l.isFile;return f("DID_LOAD_ITEM",function(u,f){var l=f.query;return new Promise(function(f,c){var s=u.file;if(!(g(s)&&function(A){return/^image\/jpeg/.test(A.type)}(s)&&l("GET_ALLOW_IMAGE_EXIF_ORIENTATION")&&d))return f(u);(function(u){return new Promise(function(d,f){var l=new FileReader;l.onload=function(u){var f=new DataView(u.target.result);if(o(f,0)===A){for(var l=f.byteLength,c=2;c<l;){var g=o(f,c);if(c+=2,g===e){if(a(f,c+=2)!==n)break;var s=o(f,c+=6)===t;c+=a(f,c+4,s);var v=o(f,c,s);c+=2;for(var w=0;w<v;w++)if(o(f,c+12*w,s)===i)return void d(o(f,c+12*w+8,s))}else{if((g&r)!==r)break;c+=o(f,c)}}d(-1)}else d(-1)},l.readAsArrayBuffer(u.slice(0,65536))})})(s).then(function(A){u.setMetadata("exif",{orientation:A}),f(u)})})}),{options:{allowImageExifOrientation:[!0,c.BOOLEAN]}}};return"undefined"!=typeof window&&void 0!==window.document&&document.dispatchEvent(new CustomEvent("FilePond:pluginloaded",{detail:l})),l});

app/public/partage/fichiers-fragment.php

@@ -98,20 +98,8 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
                                hx-trigger="change"
                                hx-include="[name='formats[]'], [name='website_url'], [name='admin_mode'], [name='edit_mode'], [name='_cover']"
                                hx-swap="outerHTML"
-                               <?php elseif ((int)$opt['id'] === ($videoId ?? 0)): ?>
-                               hx-post="<?= htmlspecialchars($hxPost) ?>"
-                               hx-target="#slot-video"
-                               hx-select="#slot-video"
-                               hx-trigger="change"
-                               hx-include="[name='formats[]'], [name='website_url'], [name='admin_mode'], [name='edit_mode'], [name='_cover']"
-                               hx-swap="outerHTML"
-                               <?php elseif ((int)$opt['id'] === ($audioId ?? 0)): ?>
-                               hx-post="<?= htmlspecialchars($hxPost) ?>"
-                               hx-target="#slot-audio"
-                               hx-select="#slot-audio"
-                               hx-trigger="change"
-                               hx-include="[name='formats[]'], [name='website_url'], [name='admin_mode'], [name='edit_mode'], [name='_cover']"
-                               <?php endif; ?>>
+                               <?php endif; ?>
+>
                         <?= htmlspecialchars($opt['name']) ?>
                     </label>
                 </li>
@@ -206,7 +194,6 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
         <div class="admin-file-input">
             <input type="file" id="couverture"
                    name="couverture"
-                   accept="image/jpeg,image/png,image/webp"
                    class="tfe-file-picker tfe-file-picker--single"
                    data-queue-type="cover">
             <small>JPG, PNG ou WEBP. Format 4:3 recommandé. Max 20 MB.</small>
@@ -220,7 +207,6 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
         <div class="admin-file-input">
             <input type="file" id="note_intention"
                    name="note_intention"
-                   accept=".pdf"
                    class="tfe-file-picker tfe-file-picker--single"
                    data-queue-type="note_intention"
                    <?= !$adminMode ? 'required' : '' ?>>
@@ -235,47 +221,30 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
             <input type="file" id="tfe-files-input"
                    name="queue_file[tfe][]"
                    multiple
-                   accept=".pdf,.jpg,.jpeg,.png,.gif,.webp,.mp4,.webm,.ogv,.mov,.mp3,.ogg,.oga,.wav,.flac,.aac,.m4a,.vtt,.zip,.tar,.gz,.tgz"
                    class="tfe-file-picker"
                    <?= !$adminMode ? 'required' : '' ?>>
             <small class="admin-file-hint">
-                PDF (max 100 MB) · Images (JPG/PNG/GIF/WEBP) · Vidéo · Audio · VTT · Archives.
+                PDF (max 100 MB) · Images (max 500 MB) · Vidéo & Audio (max 2 GB) · VTT · Archives (max 500 MB).
                 Glissez pour réordonner.
                 PDFs trop lourds ? <a href="https://www.bentopdf.com" target="_blank" rel="noopener">https://bentopdf.com/</a>
             </small>
         </div>
     </div>
 
-    <!-- ── 4. Annexes — multi-file upload (FilePond) ── -->
+    <!-- ── 4. Annexes — multi-file upload (FilePond), always visible ── -->
     <div id="annexes-input-block">
-        <div class="admin-form-group">
-            <label class="admin-checkbox-label">
-                <input type="checkbox" name="has_annexes" value="1"
-                       <?= $hasAnnexesChecked ? 'checked' : '' ?>
-                       hx-post="<?= htmlspecialchars($hxPost) ?>"
-                       hx-target="#annexes-input-block"
-                       hx-select="#annexes-input-block"
-                       hx-trigger="change"
-                       hx-include="[name='formats[]'], [name='website_url'], [name='admin_mode'], [name='edit_mode'], [name='_cover'], [name='has_annexes']"
-                       hx-swap="outerHTML">
-                Ce TFE comporte des annexes
-            </label>
-        </div>
-        <?php if ($hasAnnexesChecked): ?>
+        <!-- has_annexes checkbox disabled — annexe pool always on -->
+        <input type="hidden" name="has_annexes" value="0">
         <div class="admin-form-group admin-files-fieldgroup">
-            <label for="annexe-files-input">Annexes<?= !$adminMode ? ' <span class="asterisk">*</span>' : '' ?></label>
+            <label for="annexe-files-input">Annexes (optionnel)</label>
             <div class="admin-file-input">
                 <input type="file" id="annexe-files-input"
                        name="queue_file[annexe][]"
                        multiple
-                       accept=".pdf,.zip,.tar,.gz"
-                       class="tfe-file-picker"
-                       <?= !$adminMode ? 'required' : '' ?>>
+                       class="tfe-file-picker">
                 <small class="admin-file-hint">PDF ou archives ZIP/TAR. Max 500 MB. Glissez pour réordonner.</small>
             </div>
         </div>
-        <script>if(window.XamxamInitFilePonds)window.XamxamInitFilePonds();</script>
-        <?php endif; ?>
     </div>
 
     <!-- ── Format-specific extras (individual swappable slots) ── -->
@@ -296,7 +265,8 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
         <div id="slot-siteweb" hidden></div>
         <?php endif; ?>
 
-        <!-- Slot: Video -->
+        <!-- Slot: Video (disabled — video files are now uploaded via the TFE input) -->
+        <!--
         <?php if ($hasVideo): ?>
         <?php if ($peerTubeEnabled): ?>
         <div id="slot-video" class="admin-form-group">
@@ -325,8 +295,11 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
         <?php else: ?>
         <div id="slot-video" hidden></div>
         <?php endif; ?>
+        -->
+        <div id="slot-video" hidden></div>
 
-        <!-- Slot: Audio -->
+        <!-- Slot: Audio (disabled — audio files are now uploaded via the TFE input) -->
+        <!--
         <?php if ($hasAudio): ?>
         <?php if ($peerTubeEnabled): ?>
         <div id="slot-audio" class="admin-form-group">
@@ -355,13 +328,10 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
         <?php else: ?>
         <div id="slot-audio" hidden></div>
         <?php endif; ?>
+        -->
+        <div id="slot-audio" hidden></div>
 
-        <script>if(window.XamxamInitFilePonds)window.XamxamInitFilePonds();</script>
     </div>
 
 </fieldset><!-- /Fichiers -->
-
-<script>
-if(window.XamxamInitFilePonds)window.XamxamInitFilePonds();
-</script>
 </div><!-- #format-fichiers-block -->

app/public/partage/index.php

@@ -317,10 +317,29 @@ function renderShareLinkForm(string $slug, array $link): void
     $synopsisExtra = ob_get_clean();
 
     // Jury data from repopulation
-    $juryPromoteur    = old($formData, 'jury_promoteur');
+    $juryPromoteur    = null;
     $juryPromoteurs   = [];
-    $juryPromoteurUlb = old($formData, 'jury_promoteur_ulb_name');
+    $juryPromoteurUlb = null;
     $juryPromoteursUlb = [];
+    // promoteurices may be submitted as arrays (multiple entries)
+    $promoteursRaw = old($formData, 'jury_promoteur');
+    if (is_array($promoteursRaw)) {
+        foreach ($promoteursRaw as $name) {
+            $name = trim($name ?? '');
+            if ($name !== '') $juryPromoteurs[] = ['name' => $name];
+        }
+    } elseif (is_string($promoteursRaw) && trim($promoteursRaw) !== '') {
+        $juryPromoteur = $promoteursRaw;
+    }
+    $promoteursUlbRaw = old($formData, 'jury_promoteur_ulb_name');
+    if (is_array($promoteursUlbRaw)) {
+        foreach ($promoteursUlbRaw as $name) {
+            $name = trim($name ?? '');
+            if ($name !== '') $juryPromoteursUlb[] = ['name' => $name];
+        }
+    } elseif (is_string($promoteursUlbRaw) && trim($promoteursUlbRaw) !== '') {
+        $juryPromoteurUlb = $promoteursUlbRaw;
+    }
     $lecteursInternes = [];
     $lecteursExternes = [];
     for ($i = 0; $i < 10; $i++) {
@@ -376,7 +395,12 @@ function renderShareLinkForm(string $slug, array $link): void
         <link rel="stylesheet" href="<?= App::assetV('/assets/css/common.css') ?>">
         <link rel="stylesheet" href="<?= App::assetV('/assets/css/form.css') ?>">
         <link rel="stylesheet" href="<?= App::assetV('/assets/css/filepond.min.css') ?>">
+        <link rel="stylesheet" href="<?= App::assetV('/assets/css/filepond-plugin-image-preview.min.css') ?>">
         <script src="<?= App::assetV('/assets/js/filepond.min.js') ?>" defer></script>
+        <script src="<?= App::assetV('/assets/js/filepond-plugin-file-validate-type.min.js') ?>" defer></script>
+        <script src="<?= App::assetV('/assets/js/filepond-plugin-file-validate-size.min.js') ?>" defer></script>
+        <script src="<?= App::assetV('/assets/js/filepond-plugin-image-preview.min.js') ?>" defer></script>
+        <script src="<?= App::assetV('/assets/js/filepond-plugin-image-exif-orientation.min.js') ?>" defer></script>
         <script src="<?= App::assetV('/assets/js/file-upload-filepond.js') ?>" defer></script>
         <script src="<?= App::assetV('/assets/js/beforeunload-guard.js') ?>" defer></script>
         <script src="<?= App::assetV('/assets/js/htmx.min.js') ?>" defer></script>
@@ -497,6 +521,12 @@ function handleShareLinkSubmission(string $slug): void
         $ctrl     = ThesisCreateController::make();
         $thesisId = $ctrl->submit($_POST, $_FILES);
 
+        // Collect file processing warnings (invalid types, too large, etc.)
+        $fileWarnings = $ctrl->getFileWarnings();
+        if ($fileWarnings) {
+            $_SESSION['_flash_warning'] = implode("\n", $fileWarnings);
+        }
+
         $identifier = $ctrl->getIdentifier($thesisId);
         $logger->logSubmission('partage', $thesisId, $identifier, $authorName, [
             'share_slug' => $slug,
@@ -572,19 +602,23 @@ function handleShareLinkSubmission(string $slug): void
 /**
  * Helper to retrieve old form data (with support for array keys via : delimiter)
  */
-function old(array $data, string $key, string $default = ''): string {
+/**
+ * Retrieve old form data for repopulation.
+ * Returns raw value (no escaping) — callers must htmlspecialchars() when rendering.
+ * For arrays, returns the array as-is so callers can iterate.
+ */
+function old(array $data, string $key, $default = '') {
     // Support nested keys like "jury_lecteurs:0"
     $parts = explode(':', $key);
     $value = $data;
     foreach ($parts as $part) {
-        if (is_array($value) && isset($value[$part])) {
+        if (is_array($value) && array_key_exists($part, $value)) {
             $value = $value[$part];
         } else {
-            $value = $default;
-            break;
+            return $default;
         }
     }
-    return is_array($value) ? htmlspecialchars(json_encode($value)) : htmlspecialchars((string)$value);
+    return $value;
 }
 
 /**