[RFC] Split markdown rendering to a separate package.#647
[RFC] Split markdown rendering to a separate package.#647ditman wants to merge 14 commits intogoogle:mainfrom
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
jacobsimionato
left a comment
jacobsimionato
left a comment
There was a problem hiding this comment.
Hey thanks for iterating - this seems a lot lighter! It looks like angular support is gone, but ideally it will be possible to use this same shared interface/package for Angular?
…rom the Text widget.
ditman
changed the title
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively refactors the markdown rendering logic into a new shared package, @a2ui/markdown-it-shared. This is a positive step towards better code organization and reusability. The dependency injection approach for providing the markdown renderer in both Angular and Lit frameworks is well-executed.
However, I have identified a critical security vulnerability due to an incomplete sanitizer implementation in the new shared package. Additionally, there are a couple of bugs in the new package: one in the HTML highlighting logic and another in a build script, which could break the publishing process. My review includes specific comments and suggestions to address these issues.
| export const sanitizer = { | ||
| sanitize: (html: string) => html, | ||
| }; |
There was a problem hiding this comment.
The sanitizer is currently a no-op, which poses a significant security risk as it allows un-sanitized HTML to be rendered. The TODO comment indicates this is an incomplete implementation. Raw HTML from the markdown source will be rendered without sanitization, which can lead to Cross-Site Scripting (XSS) vulnerabilities.
You should implement a proper HTML sanitizer, like DOMPurify as suggested by the TODO, to prevent XSS attacks. You will also need to add dompurify and its types (@types/dompurify) as dependencies to the package.json.
| export const sanitizer = { | |
| sanitize: (html: string) => html, | |
| }; | |
| import DOMPurify from 'dompurify'; | |
| /** | |
| * A sanitizer that sanitizes HTML. | |
| */ | |
| export const sanitizer = { | |
| sanitize: (html: string) => DOMPurify.sanitize(html), | |
| }; |
| case 'html': { | ||
| const iframe = document.createElement('iframe'); | ||
| iframe.classList.add('html-view'); | ||
| iframe.srcdoc = str; | ||
| iframe.sandbox.add(''); | ||
| return iframe.innerHTML; | ||
| } |
There was a problem hiding this comment.
The highlight function for HTML code blocks is using iframe.innerHTML, which will return an empty string. This is likely not the intended behavior. If the goal is to display a sandboxed preview of the HTML, you should probably be returning the iframe.outerHTML.
Additionally, using document.createElement will cause this code to fail in non-browser environments (e.g., during server-side rendering or in tests running in Node.js). Consider adding a check for the environment.
| case 'html': { | |
| const iframe = document.createElement('iframe'); | |
| iframe.classList.add('html-view'); | |
| iframe.srcdoc = str; | |
| iframe.sandbox.add(''); | |
| return iframe.innerHTML; | |
| } | |
| case 'html': { | |
| if (typeof document === 'undefined') { | |
| return str; // Or escape it | |
| } | |
| const iframe = document.createElement('iframe'); | |
| iframe.classList.add('html-view'); | |
| iframe.srcdoc = str; | |
| iframe.sandbox.add(''); | |
| return iframe.outerHTML; | |
| } |
There was a problem hiding this comment.
This is in fact logic that probably should disappear. I don't think that an html tagged highlight is a good signal to attempt to render an iframe :/
| // 3. Adjusting paths in package.json (main, types, exports) to be relative to dist/ | ||
|
|
||
| const dirname = import.meta.dirname; | ||
| const corePkgPath = join(dirname, '../core/package.json'); |
There was a problem hiding this comment.
The path to corePkgPath is incorrect. It points to ../core/package.json, which would resolve to renderers/markdown/core/package.json. Based on the project structure, it should probably point to the web_core package at ../../web_core/package.json. This will cause the publish script to fail.
| const corePkgPath = join(dirname, '../core/package.json'); | |
| const corePkgPath = join(dirname, '../../web_core/package.json'); |
2 participants
Description
This PR addresses some feedback on #595 by dropping some of the "implementation" packages for the markdown renderer, and directly using an injected
renderMarkdownfunction if present. It adds some core types for the generic markdown renderer to be configured and injected.It also updates the lit shell sample app to inject the pre-built renderer, to display how end-users will interact with this.
Pre-launch Checklist
If you need help, consider asking for advice on the discussion board.