pika-news: auto-refresh, markdown rendering, wider diffs

[justinmoon]

Summary

• Auto-reload detail page every 10s when generation status is pending or generating, stops once ready/failed
• Add marked.js for client-side markdown rendering in chat assistant responses
• Evidence snippets now render as pre/code blocks instead of inline code (with hljs syntax highlighting)
• Added CSS for markdown content in panels and chat messages
• Removed shell/page-layout max-width constraints so diffs use full viewport width
• Changed d2h-wrapper from overflow: hidden to overflow-x: auto (was clipping diff content)

Test plan

• Verified auto-refresh fires on generating pages, does not fire on ready pages
• Verified evidence renders as highlighted code blocks
• Verified diff view uses full width
• Deployed to pika-build and tested on news.pikachat.org

🤖 Generated with Claude Code

---

Summary by CodeRabbit

Release Notes

• New Features

  • Added Markdown rendering support for assistant messages
  • Implemented auto-refresh functionality during content generation
  • Improved evidence block display with multi-line code formatting

• Improvements

  • Enhanced layout flexibility and visual styling
  • Better horizontal scrolling support for code and diff displays

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 02530f7f-31bf-4d1e-a820-b1e5e1fead7b

📥 Commits

Reviewing files that changed from the base of the PR and between 0423622 and 83d3423.

📒 Files selected for processing (1)

• crates/pika-news/templates/detail.html

---

📝 Walkthrough

Walkthrough

A template file was updated to add Markdown rendering support for assistant messages using marked.js, restructure evidence display to use code blocks instead of inline code, implement client-side auto-refresh logic during generation, and adjust CSS styling for Markdown blocks and layout constraints.

Changes

Cohort / File(s)	Summary
Template and styling updates crates/pika-news/templates/detail.html	Added Markdown rendering for assistant messages; restructured evidence display from inline code list to pre/code blocks; implemented auto-refresh logic during generation; adjusted CSS for Markdown blocks, code overflow, and layout constraints; integrated marked.js library.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• pika-news: fix stale PRs, dark mode, auth recovery, diff rendering #455: Modifies the same template file (crates/pika-news/templates/detail.html) to update diff rendering behavior and client-side session/refresh handling logic.

Poem

🐰 A rabbit hops through Markdown fields,
With evidence blocks and layout shields,
Auto-refresh keeps the page alive,
While styled code blocks beautifully thrive! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pika-news-improve

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 2 potential issues.

[devin-ai-integration]

🔴 Stored XSS via unsanitized marked.parse() output injected with innerHTML

The new addMessage function renders assistant chat messages by passing content through marked.parse(content) and assigning the result to div.innerHTML (line 276) with no HTML sanitization. The marked library does not sanitize HTML — it passes through raw HTML embedded in markdown (e.g., <img onerror="alert(1)">, <script> tags). This contrasts with the server-side rendering path, which uses ammonia sanitization (crates/pika-news/src/web.rs:704-714). An attacker could exploit this via prompt injection: crafting a chat message that causes the Claude assistant to echo back HTML/JS in its response. That response is stored raw in the database (web.rs:631) and re-rendered via loadHistory() (line 310) on every page load, making this a stored XSS vulnerability.

Prompt for agents

In crates/pika-news/templates/detail.html, the addMessage function at line 275-277 uses marked.parse() + innerHTML without sanitization. Either:

1. Add DOMPurify (recommended): Add a script tag for DOMPurify in the head_extra block (line 9 area), e.g. <script src="https://cdn.jsdelivr.net/npm/dompurify@3.2.4/dist/purify.min.js"></script>, then change line 276 from:
   div.innerHTML = marked.parse(content);
to:
   div.innerHTML = DOMPurify.sanitize(marked.parse(content));

2. Or configure marked to not pass through HTML by setting marked.setOptions({ breaks: true }) and using a custom renderer that escapes HTML tokens, though DOMPurify is the more robust approach.

This must be done to match the server-side sanitization pattern already used in crates/pika-news/src/web.rs:704-714 (markdown_to_safe_html with ammonia).

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 Unpinned CDN version for marked library creates supply chain risk

The marked script tag loads from https://cdn.jsdelivr.net/npm/marked/marked.min.js without a version pin. This always resolves to the latest published version on npm. All other CDN dependencies on this page are pinned to specific versions (highlight.js 11.11.1, diff2html 3.4.51). An unpinned dependency means a compromised or breaking npm publish would immediately affect all users, and builds are not reproducible. The URL should include a version specifier and ideally an SRI integrity hash.

Suggested change

	<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
	<script src="https://cdn.jsdelivr.net/npm/marked@15.0.7/marked.min.js"></script>

---

Was this helpful? React with 👍 or 👎 to provide feedback.