Skip to content

feat(core): markdown live preview #2#122

Open
arieslx wants to merge 3 commits into
floatboatai:mainfrom
arieslx:feat(core)/markdown-live-preview
Open

feat(core): markdown live preview #2#122
arieslx wants to merge 3 commits into
floatboatai:mainfrom
arieslx:feat(core)/markdown-live-preview

Conversation

@arieslx

@arieslx arieslx commented Jul 3, 2026

Copy link
Copy Markdown

Summary / 摘要

Sanitize source-mapped Markdown HTML export and reuse it in the Electron split preview to avoid raw HTML injection.

Motivation / 背景与动机

Split preview previously had a separate Markdown preview renderer path that could inject raw Markdown HTML into the Electron renderer. This change routes split preview rendering through core HTML export and applies the same sanitizer boundary to source-mapped and non-source-mapped export paths.

  • Issue:
  • Roadmap (docs/ROADMAP.md):
  • OpenSpec change:

Changes / 变更内容

  • packages/core:

    • Add html-export.ts for source-mapped semantic HTML export with data-source-* attributes.
    • Add html-sanitizer.ts to remove dangerous raw HTML tags/attributes and allowlist URL protocols.
    • Apply sanitizer to both exportHTML() and exportHTML({ sourceMap: true }).
    • Add ExportHTMLOptions, ExportHTMLResult, and ExportHTMLSourceMapEntry types.
    • Preserve the public parseMarkdownToAst export.
    • Reuse the shared sanitizer from live preview.
  • packages/plugin-*:

    • No changes.
  • apps/electron-demo:

    • Remove the split preview’s private Markdown renderer.
    • Render split preview from editor.exportHTML({ sourceMap: true }).
    • Update split preview tests for the new export contract.
  • openspec/:

    • No changes.

Testing / 测试

  • pnpm test passes / 全绿
    • Verified targeted suite with:
      • npm test -- --run packages/core/test/editor.test.ts apps/electron-demo/test/split-preview.test.ts
  • Affected packages build (pnpm build) / 受影响包构建通过
    • Attempted npm run build, but pnpm stopped at the electron/esbuild build-script approval gate.
  • New / updated vitest cases / 新增或更新的 vitest 用例:
    • Source-mapped HTML export.
    • Raw HTML sanitizer coverage for dangerous tags, event handlers, quoted/unquoted/entity-encoded unsafe URLs.
    • Markdown link/image protocol allowlist.
    • Public parseMarkdownToAst export compatibility.
  • Manual UI check in electron-demo / electron-demo 手动验证:

Compliance / 合规自检

  • CLA signed — first-time contributors will be prompted automatically by the CLA bot / 首次贡献者按 CLA 机器人提示签署
  • New dependencies (if any) listed with license & rationale (none if blank):
    None.
  • No build artifacts committed (dist/, dist-electron/, compiled .js from .ts) / 未提交构建产物
  • No secrets / .env / personal vault data committed / 无敏感信息

Checklist / 自检清单

  • Title follows Conventional Commits / 标题遵循 Conventional Commits
  • Public API changes update package README / types — 改了公共 API 已同步 README 与类型
  • Change aligns with project scope (GOVERNANCE.md §4) / 改动符合 GOVERNANCE.md §4 的项目范围

Screenshots / Recordings · 截图或录屏 (UI changes)

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant