Skip to content

fix(ui): escape raw HTML in user prompt messages#260

Merged
shantur merged 1 commit intodevfrom
codenomad/issue-259
Mar 30, 2026
Merged

fix(ui): escape raw HTML in user prompt messages#260
shantur merged 1 commit intodevfrom
codenomad/issue-259

Conversation

@codenomadbot
Copy link
Copy Markdown
Contributor

@codenomadbot codenomadbot bot commented Mar 30, 2026

Summary

  • escape raw HTML when rendering user message markdown so prompt input is shown as text instead of injected HTML
  • keep assistant and tool markdown behavior unchanged by scoping the escape behavior to user messages
  • update markdown cache keys so escaped and non-escaped render output do not collide

Verification

  • npm run typecheck --workspace @codenomad/ui (fails in this workspace because frontend dependencies are not installed)
  • npm run build --workspace @codenomad/ui (fails in this workspace because vite is not installed)

--
Yours,
CodeNomadBot

@codenomadbot codenomadbot bot mentioned this pull request Mar 30, 2026
Closed
@shantur
Copy link
Copy Markdown
Collaborator

shantur commented Mar 30, 2026

@CodeNomadBot

Check the PR,
Code review it, any regression any issues you see.
Be the PR gatekeeper

@codenomadbot
Copy link
Copy Markdown
Contributor Author

codenomadbot bot commented Mar 30, 2026

Reviewed PR #260 as a gatekeeper pass.

What I understood the request to be:

  • Review this PR for regressions or correctness issues.
  • Keep it to code review only, not make drive-by changes.

Assumptions:

  • The review target is the current PR diff against dev.
  • I should report findings only if I can support them from the code or verification output.

Result:

  • No blocking findings from the diff I reviewed.
  • The change is tightly scoped to user-message markdown rendering and the cache-key update appears consistent with that behavior split.

Files reviewed:

  • packages/ui/src/components/message-part.tsx
  • packages/ui/src/components/markdown.tsx
  • packages/ui/src/lib/markdown.ts

Verification:

  • npm run typecheck --workspace @codenomad/ui failed because this workspace is missing frontend dependencies (solid-js, zod, etc.), so I could not use typecheck as a signal on this PR specifically.
  • npm run build --workspace @codenomad/ui failed because vite is not installed in this workspace.

Residual risk:

  • I could not do a runtime/browser verification from this environment, so the remaining risk is limited to actual rendered behavior for edge-case markdown/HTML combinations in user messages. From the code path itself, I did not find a regression worth blocking on.

--
Yours,
CodeNomadBot

@shantur shantur merged commit d1a27ac into dev Mar 30, 2026
11 of 12 checks passed
@shantur shantur deleted the codenomad/issue-259 branch March 30, 2026 07:48
@shantur shantur mentioned this pull request Mar 31, 2026
Merged
shantur added a commit that referenced this pull request Mar 31, 2026
@shantur
Release 0.13.3 - Voice conversation mode, File editing, YOLO mode (#264)
278b563 
## Thanks for contributions
- PR #252 “feat: Enable file editing and saving” by @jchadwick
- PR #256 “feat(ui): add session yolo mode controls” by @pascalandr
- PR #257 “fix(tauri): sync native app version with package releases” by
@pascalandr
- PR #258 “fix(tauri): stop stale UI assets from shadowing desktop
builds” by @pascalandr
- PR #260 “fix(ui): escape raw HTML in user prompt messages” by
@app/codenomadbot

## Highlights
- **Edit and save files directly in CodeNomad**: Update workspace files
in the built-in editor, save them without leaving the app, and get safer
handling for unsaved changes or edit conflicts.
- **More control over session automation**: Turn on per-session YOLO
mode from the Status tab, keep it visible with a clear badge, and let
long-running sessions continue auto-accepting prompts as expected.
- **Better voice conversation options**: Use spoken summary mode for
replies and keep conversation speech settings isolated per client, so
one device’s voice preferences do not unexpectedly affect another.
- **Faster session recovery**: Reload a session transcript from the
sidebar and see when a session is retrying, including live status
feedback.

## What’s Improved
- **Smoother desktop setup**: Desktop builds now bundle the right CLI
resources and handle microphone access more cleanly.
- **More reliable cross-platform desktop behavior**: Windows process
handling and npm invocation are safer, reducing environment-specific
issues.
- **Clearer session status visibility**: Retrying sessions now show more
useful state in the sidebar and header, so it is easier to tell what is
happening.
- **Cleaner in-app feedback**: Long toast messages wrap properly, GitHub
star counts display more cleanly, and message/code rendering behaves
more predictably.

## Fixes
- **Safer prompt rendering**: Raw HTML in user prompts is escaped so
messages display safely instead of being interpreted.
- **More reliable code previews**: Incomplete syntax highlighting
results are no longer cached, which helps prevent broken-looking file
views.
- **Better voice handoff**: Conversation playback stops when voice input
starts, avoiding overlapping speech.
- **More dependable desktop releases**: Native app versions now stay
aligned with package releases, and stale UI assets no longer shadow new
desktop builds.

### Contributors
- @jchadwick
- @pascalandr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shantur