**bold**
");
+ expect(html).toContain("<div>");
+ expect(html).not.toContain("");
+ // Inner markdown should NOT be rendered since it's inside escaped HTML
+ expect(html).toContain("**bold**");
+ });
+
+ it("strips script tags", () => {
+ const html = toSanitizedMarkdownHtml("");
+ expect(html).not.toContain(" {
+ const html = toSanitizedMarkdownHtml("Check this out");
+ expect(html).toContain("<b>");
+ expect(html).not.toContain("");
+ });
+ });
+
+ describe("task lists", () => {
+ it("renders task list checkboxes", () => {
+ const html = toSanitizedMarkdownHtml("- [ ] Unchecked\n- [x] Checked");
+ expect(html).toContain(" {
+ const html = toSanitizedMarkdownHtml("- [ ] Task with [link](https://example.com)");
+ expect(html).toContain(' {
+ const html = toSanitizedMarkdownHtml("- [ ] ");
+ expect(html).not.toContain(" {
+ const html = toSanitizedMarkdownHtml("- [ ] ");
+ expect(html).toContain("<details>");
+ expect(html).not.toContain("
x
y");
+ });
+ });
+
+ describe("images", () => {
+ it("flattens remote images to alt text", () => {
+ const html = toSanitizedMarkdownHtml("");
+ expect(html).not.toContain(" {
+ const html = toSanitizedMarkdownHtml("");
+ expect(html).toContain("**Build log**");
+ });
+
+ it("preserves code formatting in alt text", () => {
+ const html = toSanitizedMarkdownHtml("");
+ expect(html).toContain("`error.log`");
+ });
+
+ it("preserves base64 data URI images (#15437)", () => {
+ const html = toSanitizedMarkdownHtml("");
+ expect(html).toContain(" {
+ const html = toSanitizedMarkdownHtml("");
+ expect(html).not.toContain(" {
+ it("renders fenced code blocks", () => {
+ const html = toSanitizedMarkdownHtml("```ts\nconsole.log(1)\n```");
+ expect(html).toContain("
");
+ expect(html).toContain(" {
+ // markdown-it requires a blank line before indented code
+ const html = toSanitizedMarkdownHtml("text\n\n indented code");
+ expect(html).toContain("");
+ expect(html).toContain("");
+ });
+
+ it("includes copy button", () => {
+ const html = toSanitizedMarkdownHtml("```\ncode\n```");
+ expect(html).toContain('class="code-block-copy"');
+ expect(html).toContain("data-code=");
+ });
+
+ it("collapses JSON code blocks", () => {
+ const html = toSanitizedMarkdownHtml('```json\n{"key": "value"}\n```');
+ expect(html).toContain(" {
+ it("renders strikethrough", () => {
+ const html = toSanitizedMarkdownHtml("This is ~~deleted~~ text");
+ expect(html).toContain("deleted");
+ });
+
+ it("renders tables", () => {
+ const md = "| A | B |\n|---|---|\n| 1 | 2 |";
+ const html = toSanitizedMarkdownHtml(md);
+ expect(html).toContain("");
+ });
+
+ it("renders basic markdown", () => {
+ const html = toSanitizedMarkdownHtml("**bold** and *italic*");
+ expect(html).toContain("bold");
+ expect(html).toContain("italic");
+ });
+
+ it("renders headings", () => {
+ const html = toSanitizedMarkdownHtml("# Heading 1\n## Heading 2");
+ expect(html).toContain("");
+ expect(html).toContain("");
+ });
+
+ it("renders blockquotes", () => {
+ const html = toSanitizedMarkdownHtml("> quote");
+ expect(html).toContain("");
+ });
+
+ it("renders lists", () => {
+ const html = toSanitizedMarkdownHtml("- item 1\n- item 2");
+ expect(html).toContain("");
+ expect(html).toContain("- ");
+ });
+ });
+
+ describe("security", () => {
+ it("blocks javascript: in links via DOMPurify", () => {
+ const html = toSanitizedMarkdownHtml("[click me](javascript:alert(1))");
+ // DOMPurify strips dangerous href schemes but keeps the anchor text
+ expect(html).not.toContain('href="javascript:');
+ expect(html).toContain("click me");
+ });
+
+ it("shows alt text for javascript: images", () => {
+ const html = toSanitizedMarkdownHtml(")");
+ expect(html).not.toContain("
{
+ const html1 = toSanitizedMarkdownHtml(")");
+ expect(html1).toContain("Alt1");
+ expect(html1).not.toContain(" {
+ const html = toSanitizedMarkdownHtml("[x](data:text/html,)");
+ // marked.js generates for all URLs; DOMPurify strips dangerous href.
+ // Result: anchor text visible but link is inert (no href or stripped href).
+ expect(html).toContain(">x<");
+ expect(html).not.toContain('href="data:text/html');
+ });
+
+ it("does not auto-link bare file:// URIs", () => {
+ const html = toSanitizedMarkdownHtml("Check file:///etc/passwd");
+ // Bare file:// without www. or http:// should NOT be auto-linked
+ expect(html).not.toContain(" {
+ const html = toSanitizedMarkdownHtml("[click](file:///etc/passwd)");
+ // DOMPurify strips file: scheme, leaving anchor text
+ expect(html).not.toContain('href="file:');
+ expect(html).toContain("click");
+ });
+ });
+
+ describe("ReDoS protection", () => {
+ it("does not throw on deeply nested emphasis markers (#36213)", () => {
+ const nested = "*".repeat(500) + "text" + "*".repeat(500);
+ expect(() => toSanitizedMarkdownHtml(nested)).not.toThrow();
+ const html = toSanitizedMarkdownHtml(nested);
+ expect(html).toContain("text");
+ });
+
+ it("does not throw on deeply nested brackets (#36213)", () => {
+ const nested = "[".repeat(200) + "link" + "]".repeat(200) + "(" + "x".repeat(200) + ")";
+ expect(() => toSanitizedMarkdownHtml(nested)).not.toThrow();
+ });
+
+ it("does not hang on backtick + bracket ReDoS pattern", { timeout: 2_000 }, () => {
+ const HEADER =
+ '{"type":"message","id":"aaa","parentId":"bbb",' +
+ '"timestamp":"2000-01-01T00:00:00.000Z","message":' +
+ '{"role":"toolResult","toolCallId":"call_000",' +
+ '"toolName":"read","content":[{"type":"text","text":' +
+ '"{\\"type\\":\\"message\\",\\"id\\":\\"ccc\\",' +
+ '\\"timestamp\\":\\"2000-01-01T00:00:00.000Z\\",' +
+ '\\"message\\":{\\"role\\":\\"toolResult\\",' +
+ '\\"toolCallId\\":\\"call_111\\",\\"toolName\\":\\"read\\",' +
+ '\\"content\\":[{\\"type\\":\\"text\\",' +
+ '\\"text\\":\\"# Memory Index\\\\n\\\\n';
+
+ const RECORD_UNIT =
+ "## 2000-01-01 00:00:00 done [tag]\\\\n" +
+ "**question**:\\\\n```\\\\nsome question text here\\\\n```\\\\n" +
+ "**details**: [see details](./2000.01.01/00000000/INFO.md)\\\\n\\\\n";
+
+ const poison = HEADER + RECORD_UNIT.repeat(9);
+
+ const start = performance.now();
+ const html = toSanitizedMarkdownHtml(poison);
+ const elapsed = performance.now() - start;
+
+ expect(elapsed).toBeLessThan(500);
+ expect(html.length).toBeGreaterThan(0);
+ });
+ });
+
+ describe("large text handling", () => {
+ it("uses plain text fallback for oversized content", () => {
+ // MARKDOWN_PARSE_LIMIT is 40_000 chars
+ const input = Array.from(
+ { length: 320 },
+ (_, i) => `Paragraph ${i + 1}: ${"Long plain-text reply. ".repeat(8)}`,
+ ).join("\n\n");
+ const html = toSanitizedMarkdownHtml(input);
+ expect(html).toContain('class="markdown-plain-text-fallback"');
+ });
+
+ it("preserves indentation in plain text fallback", () => {
+ const input = `${"Header line\n".repeat(5000)}\n indented log line\n deeper indent`;
+ const html = toSanitizedMarkdownHtml(input);
+ expect(html).toContain('class="markdown-plain-text-fallback"');
+ expect(html).toContain(" indented log line");
+ expect(html).toContain(" deeper indent");
+ });
+
+ it("caches oversized fallback results", () => {
+ const input = Array.from({ length: 240 }, (_, i) => `P${i}`).join("\n\n") + "x".repeat(35000);
+ const first = toSanitizedMarkdownHtml(input);
+ const second = toSanitizedMarkdownHtml(input);
+ expect(second).toBe(first);
+ });
+
+ it("falls back to escaped text if md.render throws (#36213)", () => {
+ const renderSpy = vi.spyOn(md, "render").mockImplementation(() => {
+ throw new Error("forced failure");
+ });
+ const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+ try {
+ const html = toSanitizedMarkdownHtml("test");
+ expect(html).toContain('');
+ expect(warnSpy).toHaveBeenCalledOnce();
+ } finally {
+ renderSpy.mockRestore();
+ warnSpy.mockRestore();
+ }
+ });
});
});
diff --git a/ui/src/ui/markdown.ts b/ui/src/ui/markdown.ts
index dc03b61f225..da34ab16815 100644
--- a/ui/src/ui/markdown.ts
+++ b/ui/src/ui/markdown.ts
@@ -1,5 +1,6 @@
import DOMPurify from "dompurify";
-import { marked } from "marked";
+import MarkdownIt from "markdown-it";
+import markdownItTaskLists from "markdown-it-task-lists";
import { truncateText } from "./format.ts";
import { normalizeLowercaseStringOrEmpty } from "./string-coerce.ts";
@@ -20,10 +21,12 @@ const allowedTags = [
"h4",
"hr",
"i",
+ "input",
"li",
"ol",
"p",
"pre",
+ "s",
"span",
"strong",
"summary",
@@ -38,7 +41,9 @@ const allowedTags = [
];
const allowedAttrs = [
+ "checked",
"class",
+ "disabled",
"href",
"rel",
"target",
@@ -64,7 +69,13 @@ const MARKDOWN_CACHE_MAX_CHARS = 50_000;
const INLINE_DATA_IMAGE_RE = /^data:image\/[a-z0-9.+-]+;base64,/i;
const markdownCache = new Map();
const TAIL_LINK_BLUR_CLASS = "chat-link-tail-blur";
-const TRAILING_CJK_TAIL_RE = /([\u4E00-\u9FFF\u3000-\u303F\uFF01-\uFF5E\s]+)$/;
+
+// CJK character ranges for URL boundary detection (RFC 3986: CJK is not valid in raw URLs).
+// CJK Unified Ideographs, CJK Symbols/Punctuation, Fullwidth Forms, Hiragana, Katakana,
+// Hangul Syllables, and CJK Compatibility Ideographs.
+// biome-ignore lint: readability — regex charset is inherently dense
+const CJK_RE =
+ /[\u2E80-\u2FFF\u3000-\u303F\u3040-\u309F\u30A0-\u30FF\u3400-\u4DBF\u4E00-\u9FFF\uAC00-\uD7AF\uF900-\uFAFF\uFF01-\uFF60]/;
function getCachedMarkdown(key: string): string | null {
const cached = markdownCache.get(key);
@@ -123,50 +134,346 @@ function installHooks() {
});
}
-// Extension to prevent auto-linking algorithms from swallowing adjacent CJK characters.
-const cjkAutoLinkExtension = {
- name: "url",
- level: "inline",
- // Indicate where an auto-link might start
- start(src: string) {
- const match = src.match(/https?:\/\//i);
- return match ? match.index! : -1;
- },
- tokenizer(src: string) {
- // GFM standard regex for auto-links
- const rule = /^https?:\/\/[^\s<]+[^<.,:;"')\]\s]/i;
- const match = rule.exec(src);
- if (match) {
- let urlText = match[0];
+// ── markdown-it instance with custom renderers ──
- // Stop before any CJK character or typical punctuation following CJK
- // This stops link boundaries from bleeding into mixed-language paragraphs.
- const cjkMatch = urlText.match(TRAILING_CJK_TAIL_RE);
- if (cjkMatch) {
- urlText = urlText.substring(0, urlText.length - cjkMatch[1].length);
- }
+function escapeHtml(value: string): string {
+ return value
+ .replace(/&/g, "&")
+ .replace(//g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+}
- return {
- type: "link",
- raw: urlText,
- text: urlText,
- href: urlText,
- tokens: [
- {
- type: "text",
- raw: urlText,
- text: urlText,
- },
- ],
- };
+function normalizeMarkdownImageLabel(text?: string | null): string {
+ const trimmed = text?.trim();
+ return trimmed ? trimmed : "image";
+}
+
+export const md = new MarkdownIt({
+ html: true, // Enable HTML recognition so html_block/html_inline overrides can escape it
+ breaks: true,
+ linkify: true,
+});
+
+// Enable GFM strikethrough (~~text~~) to match original marked.js behavior.
+// markdown-it uses tags; we added "s" to allowedTags for DOMPurify.
+md.enable("strikethrough");
+
+// Disable fuzzy link detection to prevent bare filenames like "README.md"
+// from being auto-linked as "http://README.md". URLs with explicit protocol
+// (https://...) and emails are still linkified.
+//
+// Alternative considered: extensions/matrix/src/matrix/format.ts uses fuzzyLink
+// with a file-extension blocklist to filter false positives at render time.
+// We chose the www-only approach instead because:
+// 1. Matches original marked.js GFM behavior exactly (bare domains were never linked)
+// 2. No blocklist to maintain — new TLDs like .ai, .io, .dev would need constant updates
+// 3. Predictable behavior — users can always use explicit https:// for any URL
+md.linkify.set({ fuzzyLink: false });
+
+// Re-enable www. prefix detection per GFM spec: bare URLs without protocol
+// must start with "www." to be auto-linked. This avoids false positives on
+// filenames while preserving expected behavior for "www.example.com".
+// GFM spec: valid domain = alphanumeric/underscore/hyphen segments separated
+// by periods, at least one period, no underscores in last two segments.
+md.linkify.add("www", {
+ validate(text, pos) {
+ const tail = text.slice(pos);
+ // Match: . followed by domain and optional path, matching marked.js behavior.
+ // Stops at whitespace, < (HTML tag boundary), or CJK characters (RFC 3986:
+ // raw CJK is not valid in URLs; percent-encoded CJK like %E4%BD%A0 is fine).
+ const match = tail.match(
+ /^\.(?:[a-zA-Z0-9-]+\.?)+[^\s<\u2E80-\u2FFF\u3000-\u303F\u3040-\u309F\u30A0-\u30FF\u3400-\u4DBF\u4E00-\u9FFF\uAC00-\uD7AF\uF900-\uFAFF\uFF01-\uFF60]*/,
+ );
+ if (!match) {
+ return 0;
}
- return undefined;
+ let len = match[0].length;
+
+ // Strip trailing punctuation per GFM extended autolink spec.
+ // GFM says: ?, !, ., ,, :, *, _, ~ are not part of the autolink if trailing.
+
+ // Balance checking config: closeChar -> openChar mapping.
+ // Strip trailing close chars only when unbalanced (more closes than opens).
+ // For self-matching pairs like "", open === close (strip if odd count).
+ const balancePairs: Record = {
+ ")": "(",
+ "]": "[",
+ "}": "{",
+ '"': '"',
+ "'": "'",
+ };
+
+ // Pre-count balanced pairs to avoid O(n²) rescans.
+ // balance[closeChar] = count(open) - count(close), negative means unbalanced
+ const balance: Record = {};
+ for (const [close, open] of Object.entries(balancePairs)) {
+ balance[close] = 0;
+ for (let i = 0; i < len; i++) {
+ const c = tail[i];
+ if (open === close) {
+ // Self-matching pair (e.g., "") — toggle between 0 and 1
+ if (c === open) {
+ balance[close] = balance[close] === 0 ? 1 : 0;
+ }
+ } else {
+ // Distinct open/close (e.g., ())
+ if (c === open) {
+ balance[close]++;
+ } else if (c === close) {
+ balance[close]--;
+ }
+ }
+ }
+ }
+
+ while (len > 0) {
+ const ch = tail[len - 1];
+ // GFM trailing punctuation: ?, !, ., ,, :, *, _, ~ stripped unconditionally.
+ // Semicolon is handled specially below (entity reference rule).
+ if (/[?!.,:*_~]/.test(ch)) {
+ len--;
+ continue;
+ }
+ // GFM entity reference rule: strip trailing &entity; sequences.
+ // Only strip ; when preceded by &+ (e.g., & < &hl;).
+ if (ch === ";") {
+ // Backward scan to find & (O(n) total, avoids string allocation)
+ let j = len - 2;
+ while (j >= 0 && /[a-zA-Z0-9]/.test(tail[j])) {
+ j--;
+ }
+ // j < len - 2 ensures at least one alphanumeric between & and ;
+ if (j >= 0 && tail[j] === "&" && j < len - 2) {
+ len = j;
+ continue;
+ }
+ // Not an entity reference, stop stripping
+ break;
+ }
+ // Handle balanced pairs — only strip close char if unbalanced.
+ const open = balancePairs[ch];
+ if (open !== undefined) {
+ if (open === ch) {
+ // Self-matching: strip if odd count (unbalanced)
+ if (balance[ch] !== 0) {
+ balance[ch] = 0;
+ len--;
+ continue;
+ }
+ } else {
+ // Distinct pair: strip if more closes than opens
+ if (balance[ch] < 0) {
+ balance[ch]++;
+ len--;
+ continue;
+ }
+ }
+ }
+ break;
+ }
+ return len;
+
},
+ normalize(match) {
+ match.url = "http://" + match.url;
+ },
+});
+
+// Override default link validator to allow all URLs through to renderers.
+// marked.js does not validate URLs at all — it generates /![]()
tags for
+// everything and relies on DOMPurify to strip dangerous schemes.
+//
+// We match this behavior exactly:
+// - All URLs pass validation, including javascript:, vbscript:, file:, data:
+// - Images: renderer.rules.image shows alt text for non-data-image URLs
+// - Links: DOMPurify strips dangerous href schemes, leaving safe anchor text
+// - Blocking at validateLink would skip token generation entirely, causing raw
+// markdown source to appear instead of graceful fallbacks.
+md.validateLink = () => true;
+
+// Trim trailing CJK characters from auto-linked URLs (RFC 3986: raw CJK is
+// not valid in URLs). markdown-it's built-in linkify for https:// URLs may
+// swallow adjacent CJK text into the URL. This core rule runs after linkify
+// and splits the CJK suffix back into a plain text token.
+md.core.ruler.after("linkify", "linkify-cjk-trim", (state) => {
+ for (const blockToken of state.tokens) {
+ if (blockToken.type !== "inline" || !blockToken.children) {
+ continue;
+ }
+ const children = blockToken.children;
+ for (let i = children.length - 1; i >= 0; i--) {
+ const token = children[i];
+ if (token.type !== "link_open") {
+ continue;
+ }
+ // Only trim linkify-generated autolinks, not explicit markdown links
+ // like [OpenClaw中文](https://docs.openclaw.ai) where CJK in display
+ // text is intentional and href must not be rewritten.
+ if (token.markup !== "linkify") {
+ continue;
+ }
+ // Use the display text to find CJK boundary (href may be percent-encoded)
+ const textToken = children[i + 1];
+ if (!textToken || textToken.type !== "text") {
+ continue;
+ }
+ const displayText = textToken.content;
+ // Scan backward to find trailing CJK suffix only.
+ // Middle CJK must be preserved (e.g. https://example.com/你/test stays intact);
+ // only strip a contiguous CJK tail adjacent to non-URL text.
+ let cjkIdx = displayText.length;
+ while (cjkIdx > 0 && CJK_RE.test(displayText[cjkIdx - 1])) {
+ cjkIdx--;
+ }
+ if (cjkIdx <= 0 || cjkIdx === displayText.length) {
+ continue;
+ }
+ // Split: URL part and CJK tail from display text
+ const trimmedDisplay = displayText.slice(0, cjkIdx);
+ const cjkTail = displayText.slice(cjkIdx);
+ // Rebuild href by preserving the scheme prefix that linkify added but
+ // display text omits (e.g. "mailto:" for emails, "http://" for www links).
+ const href = token.attrGet("href") ?? "";
+ const prefixLen = href.indexOf(displayText);
+ const hrefPrefix = prefixLen > 0 ? href.slice(0, prefixLen) : "";
+ token.attrSet("href", hrefPrefix + trimmedDisplay);
+ textToken.content = trimmedDisplay;
+ // Find link_close and insert CJK text after it
+ for (let j = i + 1; j < children.length; j++) {
+ if (children[j].type === "link_close") {
+ const tailToken = new state.Token("text", "", 0);
+ tailToken.content = cjkTail;
+ children.splice(j + 1, 0, tailToken);
+ break;
+ }
+ }
+ }
+ }
+});
+
+// Enable GFM task list checkboxes (- [x] / - [ ]).
+// enabled: false keeps checkboxes read-only (disabled="") — task lists in
+// chat messages are display-only, not interactive forms.
+// label: false avoids wrapping item text in
`;
+ const langLabel = lang ? `${escapeHtml(lang)}` : "";
+ const attrSafe = escapeHtml(text);
+ const copyBtn = ``;
+ const header = `${langLabel}${copyBtn}`;
+
+ const trimmed = text.trim();
+ const isJson =
+ lang === "json" ||
+ (!lang &&
+ ((trimmed.startsWith("{") && trimmed.endsWith("}")) ||
+ (trimmed.startsWith("[") && trimmed.endsWith("]"))));
+
+ if (isJson) {
+ const lineCount = text.split("\n").length;
+ const label = lineCount > 1 ? `JSON · ${lineCount} lines` : "JSON";
+ return `${label}
${header}${codeBlock}`;
+ }
+
+ return `${header}${codeBlock}`;
+};
+
+// Override indented code blocks (code_block) with the same treatment as fence
+md.renderer.rules.code_block = (tokens, idx) => {
+ const token = tokens[idx];
+ const text = token.content;
+ const safeText = escapeHtml(text);
+ const codeBlock = `${safeText}
`;
+ const attrSafe = escapeHtml(text);
+ const copyBtn = ``;
+ const header = `${copyBtn}`;
+
+ const trimmed = text.trim();
+ const isJson =
+ (trimmed.startsWith("{") && trimmed.endsWith("}")) ||
+ (trimmed.startsWith("[") && trimmed.endsWith("]"));
+
+ if (isJson) {
+ const lineCount = text.split("\n").length;
+ const label = lineCount > 1 ? `JSON · ${lineCount} lines` : "JSON";
+ return `${label}
${header}${codeBlock}`;
+ }
+
+ return `${header}${codeBlock}`;
+};
export function toSanitizedMarkdownHtml(markdown: string): string {
const input = markdown.trim();
@@ -197,15 +504,10 @@ export function toSanitizedMarkdownHtml(markdown: string): string {
}
let rendered: string;
try {
- rendered = marked.parse(`${truncated.text}${suffix}`, {
- renderer: htmlEscapeRenderer,
- gfm: true,
- breaks: true,
- }) as string;
+ rendered = md.render(`${truncated.text}${suffix}`);
} catch (err) {
- // Fall back to escaped plain text when marked.parse() throws (e.g.
- // infinite recursion on pathological markdown patterns — #36213).
- console.warn("[markdown] marked.parse failed, falling back to plain text:", err);
+ // Fall back to escaped plain text when md.render() throws (#36213).
+ console.warn("[markdown] md.render failed, falling back to plain text:", err);
const escaped = escapeHtml(`${truncated.text}${suffix}`);
rendered = `${escaped}`;
}
@@ -216,72 +518,6 @@ export function toSanitizedMarkdownHtml(markdown: string): string {
return sanitized;
}
-// Prevent raw HTML in chat messages from being rendered as formatted HTML.
-// Display it as escaped text so users see the literal markup.
-// Security is handled by DOMPurify, but rendering pasted HTML (e.g. error
-// pages) as formatted output is confusing UX (#13937).
-const htmlEscapeRenderer = new marked.Renderer();
-htmlEscapeRenderer.html = ({ text }: { text: string }) => escapeHtml(text);
-htmlEscapeRenderer.image = (token: { href?: string | null; text?: string | null }) => {
- const label = normalizeMarkdownImageLabel(token.text);
- const href = token.href?.trim() ?? "";
- if (!INLINE_DATA_IMAGE_RE.test(href)) {
- return escapeHtml(label);
- }
- return `})
`;
-};
-
-function normalizeMarkdownImageLabel(text?: string | null): string {
- const trimmed = text?.trim();
- return trimmed ? trimmed : "image";
-}
-
-htmlEscapeRenderer.code = ({
- text,
- lang,
- escaped,
-}: {
- text: string;
- lang?: string;
- escaped?: boolean;
-}) => {
- const langClass = lang ? ` class="language-${escapeHtml(lang)}"` : "";
- const safeText = escaped ? text : escapeHtml(text);
- const codeBlock = `${safeText}
`;
- const langLabel = lang ? `${escapeHtml(lang)}` : "";
- const attrSafe = text
- .replace(/&/g, "&")
- .replace(/"/g, """)
- .replace(//g, ">");
- const copyBtn = ``;
- const header = `${langLabel}${copyBtn}`;
-
- const trimmed = text.trim();
- const isJson =
- lang === "json" ||
- (!lang &&
- ((trimmed.startsWith("{") && trimmed.endsWith("}")) ||
- (trimmed.startsWith("[") && trimmed.endsWith("]"))));
-
- if (isJson) {
- const lineCount = text.split("\n").length;
- const label = lineCount > 1 ? `JSON · ${lineCount} lines` : "JSON";
- return `${label}
${header}${codeBlock}`;
- }
-
- return `${header}${codeBlock}`;
-};
-
-function escapeHtml(value: string): string {
- return value
- .replace(/&/g, "&")
- .replace(//g, ">")
- .replace(/"/g, """)
- .replace(/'/g, "'");
-}
-
function renderEscapedPlainTextHtml(value: string): string {
return `${escapeHtml(value.replace(/\r\n?/g, "\n"))}`;
}