[RFC] Split markdown rendering to a separate package.#647
[RFC] Split markdown rendering to a separate package.#647ditman wants to merge 29 commits intogoogle:mainfrom
Conversation
jacobsimionato
left a comment
jacobsimionato
left a comment
There was a problem hiding this comment.
Hey thanks for iterating - this seems a lot lighter! It looks like angular support is gone, but ideally it will be possible to use this same shared interface/package for Angular?
ditman
changed the title
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively refactors the markdown rendering logic into a new shared package, @a2ui/markdown-it-shared. This is a positive step towards better code organization and reusability. The dependency injection approach for providing the markdown renderer in both Angular and Lit frameworks is well-executed.
However, I have identified a critical security vulnerability due to an incomplete sanitizer implementation in the new shared package. Additionally, there are a couple of bugs in the new package: one in the HTML highlighting logic and another in a build script, which could break the publishing process. My review includes specific comments and suggestions to address these issues.
| case 'html': { | ||
| const iframe = document.createElement('iframe'); | ||
| iframe.classList.add('html-view'); | ||
| iframe.srcdoc = str; | ||
| iframe.sandbox.add(''); | ||
| return iframe.innerHTML; | ||
| } |
There was a problem hiding this comment.
The highlight function for HTML code blocks is using iframe.innerHTML, which will return an empty string. This is likely not the intended behavior. If the goal is to display a sandboxed preview of the HTML, you should probably be returning the iframe.outerHTML.
Additionally, using document.createElement will cause this code to fail in non-browser environments (e.g., during server-side rendering or in tests running in Node.js). Consider adding a check for the environment.
| case 'html': { | |
| const iframe = document.createElement('iframe'); | |
| iframe.classList.add('html-view'); | |
| iframe.srcdoc = str; | |
| iframe.sandbox.add(''); | |
| return iframe.innerHTML; | |
| } | |
| case 'html': { | |
| if (typeof document === 'undefined') { | |
| return str; // Or escape it | |
| } | |
| const iframe = document.createElement('iframe'); | |
| iframe.classList.add('html-view'); | |
| iframe.srcdoc = str; | |
| iframe.sandbox.add(''); | |
| return iframe.outerHTML; | |
| } |
There was a problem hiding this comment.
This is in fact logic that probably should disappear. I don't think that an html tagged highlight is a good signal to attempt to render an iframe :/
ditman
force-pushed
the
inject-markdown-renderer-only
branch
from
8df05c1 to
b70a5eb
Compare
|
/gemini review |
ditman
requested review from
ava-cassiopeia,
crisbeto,
dmandar,
gspencergoog,
paullewis and
zeroasterisk
as code owners
There was a problem hiding this comment.
Code Review
This pull request is a great step towards improving the maintainability and consistency of markdown rendering by centralizing the logic into a new @a2ui/markdown-it-shared package. The use of dependency injection for the renderer in both Angular and Lit frameworks is well-executed. I've identified a couple of critical issues in the new shared markdown renderer that could lead to incorrect rendering and potential security vulnerabilities. Additionally, there are a few medium-severity suggestions to improve code clarity and adhere to best practices for library development. Overall, this is a valuable refactoring, and addressing these points will make it even more robust.
…markdown renderer function.
…rom the Text widget.
ditman
force-pushed
the
inject-markdown-renderer-only
branch
from
dfa0b28 to
ec4ece9
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request refactors the markdown rendering logic by decoupling the markdown-it dependency from the lit and angular renderers and moving it into a new shared package, @a2ui/markdown-it-shared. This is a great architectural improvement that makes the renderers more modular and allows users to inject their own markdown implementation. The changes are well-implemented, including updates to the sample applications to use the new provider/context patterns. My review includes a few minor suggestions to improve code clarity and maintainability.
|
LGTM. I wonder if the package should be called a2ui-markdown-it or something? Not sure if 'shared' is needed in there? |
2 participants
Description
This PR separates the
markdown-itdependency from thelitandangularrendererers, by allowing users to inject their own markdown renderer.Warning
BREAKING CHANGE: By default, now incoming markdown is rendered as a
preelement, and users must inject a markdown renderer of their choosing for markdown to be rendered (see below).In order to keep the "batteries" somewhat included in the sdk, a new package is introduced:
@a2ui/markdown-it-shared: the pre-configuredmarkdown-itinstance for all web renderers. This allows us to have a single configured markdown renderer withmarkdown-itanddompurifythat can be reused across all web packages. This is just a markdown string -> html string converter, but if we want to add plugins tomarkdown-itlater, all packages get the new output at once.The
litandangularrestaurant samples are updated to inject the new markdown renderer.Fixes
Tests
Pre-launch Checklist
If you need help, consider asking for advice on the discussion board.