Skip to content

Escape HTML in tooltips to prevent angle brackets being interpreted as tags #3524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 4 commits into from
Closed

Escape HTML in tooltips to prevent angle brackets being interpreted as tags #3524

Copilot wants to merge 4 commits into from
+8 −1

Conversation

Copy link

Copilot AI commented Dec 22, 2025
edited
Loading

Description

Tooltips containing Rust generic types like Table<Vector<Option<Table<Graphic>>>> were being interpreted as HTML tags due to the {@html} directive in Tooltip.svelte. The angle brackets caused the browser to attempt parsing them as elements, resulting in broken tooltip display.

Changes

frontend/src/components/floating-menus/Tooltip.svelte:

  • Added escapeHtml() function to escape <, >, &, ", ' characters
  • Modified parseMarkdown() to escape HTML before applying markdown transformations (bold/italic/code)
  • Preserves markdown functionality while preventing HTML injection
function escapeHtml(text: string): string {
    return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
}

function parseMarkdown(markdown: string | undefined): string | undefined {
    if (!markdown) return undefined;
    const escaped = escapeHtml(markdown);
    return escaped
        .replace(/\*\*((?:(?!\*\*).)+)\*\*/g, "<strong>$1</strong>")
        .replace(/\*([^*]+)\*/g, "<em>$1</em>")
        .replace(/`([^`]+)`/g, "<code>$1</code>");
}
Original prompt

This section details on the original issue you should resolve

<issue_title>JS tooltips interpreting rust generics as HTML elements</issue_title>
<issue_description>A regression introduced by @Keavon in #3488
Image

Tooltips containing strings such as "Table<Vector<Option<Table<Graphic>>>>" are interpreted as HTML tags by the @html label</issue_description>

<agent_instructions>We need to escape HTML tags in Tooltip.svelte</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@Keavon Oh, good find, thanks for noticing this edge case.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Keavon
Escape HTML in tooltip labels to prevent interpretation of angle brac…
c55e3cc 
…kets

Co-authored-by: Keavon <4388688+Keavon@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix JS tooltips interpreting rust generics as HTML elements Escape HTML in tooltips to prevent angle brackets being interpreted as tags Dec 22, 2025
Copilot AI requested a review from Keavon December 22, 2025 20:55
Keavon
Keavon requested changes Dec 22, 2025
View reviewed changes
Copy link
Member

@Keavon Keavon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should only have changed the one file.

@Keavon
Revert unrelated linter changes to other files
8f9c354 
Co-authored-by: Keavon <4388688+Keavon@users.noreply.github.com>
Copy link
Author

Copilot AI commented Dec 22, 2025

You should only have changed the one file.

Fixed in commit 8f9c354. The PR now only includes changes to Tooltip.svelte.

Copilot AI requested a review from Keavon December 22, 2025 21:03
Keavon
Keavon reviewed Dec 22, 2025
View reviewed changes
frontend/src/components/floating-menus/Tooltip.svelte Outdated
}
function escapeHtml(text: string): string {
return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
Copy link
Member

@Keavon Keavon Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use apos instead of 39.

Copy link
Author

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to &apos; in commit aa1431b.

Keavon
Keavon requested changes Dec 22, 2025
View reviewed changes
Copy link
Member

@Keavon Keavon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment

@Keavon
Use &apos; instead of &#39; for apostrophe escaping
aa1431b 
Co-authored-by: Keavon <4388688+Keavon@users.noreply.github.com>
Copilot AI requested a review from Keavon December 22, 2025 22:55
@Keavon Keavon closed this Dec 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Keavon Keavon Awaiting requested review from Keavon

Assignees

@Keavon Keavon

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

JS tooltips interpreting rust generics as HTML elements

2 participants

@Keavon