fix(ui): escape raw HTML in user prompt messages (#260)

## Summary - escape raw HTML when rendering user message markdown so prompt input is shown as text instead of injected HTML - keep assistant and tool markdown behavior unchanged by scoping the escape behavior to user messages - update markdown cache keys so escaped and non-escaped render output do not collide ## Verification - `npm run typecheck --workspace @codenomad/ui` *(fails in this workspace because frontend dependencies are not installed)* - `npm run build --workspace @codenomad/ui` *(fails in this workspace because `vite` is not installed)* -- Yours, [CodeNomadBot](https://github.com/NeuralNomadsAI/CodeNomad) Co-authored-by: Shantur <shantur@Mac.home>
2026-03-30 08:48:52 +01:00
parent 37b3f85e61
commit d1a27ac31b
3 changed files with 24 additions and 5 deletions
--- a/packages/ui/src/lib/markdown.ts
+++ b/packages/ui/src/lib/markdown.ts
@@ -11,6 +11,7 @@ let highlighterPromise: Promise<Highlighter> | null = null
 let currentTheme: "light" | "dark" = "light"
 let isInitialized = false
 let highlightSuppressed = false
+let escapeRawHtmlEnabled = false
 let rendererSetup = false
 let shikiModulePromise: Promise<typeof import("shiki/bundle/full")> | null = null
 let bundledLanguagesCache: typeof import("shiki/bundle/full")["bundledLanguages"] | null = null
@@ -285,6 +286,14 @@ function setupRenderer(isDark: boolean) {
    return `<code class="inline-code">${escapeHtml(decoded)}</code>`
  }

+  renderer.html = (html: string) => {
+    if (!escapeRawHtmlEnabled) {
+      return html
+    }
+
+    return escapeHtml(decodeHtmlEntities(html))
+  }
+
  marked.use({ renderer })
  rendererSetup = true
 }
@@ -308,6 +317,7 @@ export async function renderMarkdown(
  content: string,
  options?: {
    suppressHighlight?: boolean
+    escapeRawHtml?: boolean
  },
 ): Promise<string> {
  if (!isInitialized) {
@@ -316,6 +326,7 @@ export async function renderMarkdown(
  }

  const suppressHighlight = options?.suppressHighlight ?? false
+  const escapeRawHtml = options?.escapeRawHtml ?? false
  const decoded = decodeHtmlEntities(content)

  if (!suppressHighlight) {
@@ -324,13 +335,16 @@ export async function renderMarkdown(
  }

  const previousSuppressed = highlightSuppressed
+  const previousEscapeRawHtml = escapeRawHtmlEnabled
  highlightSuppressed = suppressHighlight
+  escapeRawHtmlEnabled = escapeRawHtml

  try {
    // Proceed to parse immediately - highlighting will be available on next render
    return marked.parse(decoded) as Promise<string>
  } finally {
    highlightSuppressed = previousSuppressed
+    escapeRawHtmlEnabled = previousEscapeRawHtml
  }
 }