From 629f0c3dd26e2a4bf7590834ff0694f7f308fc02 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 22 Dec 2025 20:43:29 +0000
Subject: [PATCH 1/4] Initial plan


From c55e3cc3d1c5abf5b52f0e09d1dd2a46ad8d8a6a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 22 Dec 2025 20:51:32 +0000
Subject: [PATCH 2/4] Escape HTML in tooltip labels to prevent interpretation
 of angle brackets

Co-authored-by: Keavon <4388688+Keavon@users.noreply.github.com>
---
 frontend/src/components/floating-menus/Tooltip.svelte    | 9 ++++++++-
 .../src/components/widgets/inputs/NumberInput.svelte     | 2 +-
 frontend/src/editor.ts                                   | 1 +
 frontend/src/messages.ts                                 | 2 +-
 frontend/src/subscription-router.ts                      | 2 +-
 5 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/frontend/src/components/floating-menus/Tooltip.svelte b/frontend/src/components/floating-menus/Tooltip.svelte
index 33beaaff34..fbaf4a1dc2 100644
--- a/frontend/src/components/floating-menus/Tooltip.svelte
+++ b/frontend/src/components/floating-menus/Tooltip.svelte
@@ -33,11 +33,18 @@
 		return text;
 	}
 
+	function escapeHtml(text: string): string {
+		return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+	}
+
 	function parseMarkdown(markdown: string | undefined): string | undefined {
 		if (!markdown) return undefined;
 
+		// First, escape HTML special characters to prevent interpretation as HTML tags
+		const escaped = escapeHtml(markdown);
+
 		return (
-			markdown
+			escaped
 				// .split("\n")
 				// .map((line) => line.trim())
 				// .join("\n")
diff --git a/frontend/src/components/widgets/inputs/NumberInput.svelte b/frontend/src/components/widgets/inputs/NumberInput.svelte
index 830fb1d8e5..8ac13f753c 100644
--- a/frontend/src/components/widgets/inputs/NumberInput.svelte
+++ b/frontend/src/components/widgets/inputs/NumberInput.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
+	import { evaluateMathExpression } from "@graphite/../wasm/pkg/graphite_wasm";
 	import { createEventDispatcher, onMount, onDestroy } from "svelte";
 
-	import { evaluateMathExpression } from "@graphite/../wasm/pkg/graphite_wasm";
 	import { PRESS_REPEAT_DELAY_MS, PRESS_REPEAT_INTERVAL_MS } from "@graphite/io-managers/input";
 	import type { NumberInputMode, NumberInputIncrementBehavior, ActionShortcut } from "@graphite/messages";
 	import { browserVersion, isDesktop } from "@graphite/utility-functions/platform";
diff --git a/frontend/src/editor.ts b/frontend/src/editor.ts
index fcbbba3eee..5107fd943d 100644
--- a/frontend/src/editor.ts
+++ b/frontend/src/editor.ts
@@ -1,5 +1,6 @@
 // import { panicProxy } from "@graphite/utility-functions/panic-proxy";
 import init, { setRandomSeed, wasmMemory, EditorHandle, receiveNativeMessage } from "@graphite/../wasm/pkg/graphite_wasm";
+
 import { type JsMessageType } from "@graphite/messages";
 import { createSubscriptionRouter, type SubscriptionRouter } from "@graphite/subscription-router";
 
diff --git a/frontend/src/messages.ts b/frontend/src/messages.ts
index 29eb37439c..f44d8a036a 100644
--- a/frontend/src/messages.ts
+++ b/frontend/src/messages.ts
@@ -1,8 +1,8 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 
+import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { Transform, Type, plainToClass } from "class-transformer";
 
-import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { type PopoverButtonStyle, type IconName, type IconSize } from "@graphite/icons";
 
 export class JsMessage {
diff --git a/frontend/src/subscription-router.ts b/frontend/src/subscription-router.ts
index d807a0085f..9b42eb0c1b 100644
--- a/frontend/src/subscription-router.ts
+++ b/frontend/src/subscription-router.ts
@@ -1,6 +1,6 @@
+import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { plainToInstance } from "class-transformer";
 
-import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { type JsMessageType, messageMakers, type JsMessage } from "@graphite/messages";
 
 type JsMessageCallback<T extends JsMessage> = (messageData: T) => void;

From 8f9c3547a565a25d9dd13edd150ea81d710b9889 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 22 Dec 2025 21:01:55 +0000
Subject: [PATCH 3/4] Revert unrelated linter changes to other files

Co-authored-by: Keavon <4388688+Keavon@users.noreply.github.com>
---
 frontend/src/components/widgets/inputs/NumberInput.svelte | 2 +-
 frontend/src/editor.ts                                    | 1 -
 frontend/src/messages.ts                                  | 2 +-
 frontend/src/subscription-router.ts                       | 2 +-
 4 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/frontend/src/components/widgets/inputs/NumberInput.svelte b/frontend/src/components/widgets/inputs/NumberInput.svelte
index 8ac13f753c..830fb1d8e5 100644
--- a/frontend/src/components/widgets/inputs/NumberInput.svelte
+++ b/frontend/src/components/widgets/inputs/NumberInput.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
-	import { evaluateMathExpression } from "@graphite/../wasm/pkg/graphite_wasm";
 	import { createEventDispatcher, onMount, onDestroy } from "svelte";
 
+	import { evaluateMathExpression } from "@graphite/../wasm/pkg/graphite_wasm";
 	import { PRESS_REPEAT_DELAY_MS, PRESS_REPEAT_INTERVAL_MS } from "@graphite/io-managers/input";
 	import type { NumberInputMode, NumberInputIncrementBehavior, ActionShortcut } from "@graphite/messages";
 	import { browserVersion, isDesktop } from "@graphite/utility-functions/platform";
diff --git a/frontend/src/editor.ts b/frontend/src/editor.ts
index 5107fd943d..fcbbba3eee 100644
--- a/frontend/src/editor.ts
+++ b/frontend/src/editor.ts
@@ -1,6 +1,5 @@
 // import { panicProxy } from "@graphite/utility-functions/panic-proxy";
 import init, { setRandomSeed, wasmMemory, EditorHandle, receiveNativeMessage } from "@graphite/../wasm/pkg/graphite_wasm";
-
 import { type JsMessageType } from "@graphite/messages";
 import { createSubscriptionRouter, type SubscriptionRouter } from "@graphite/subscription-router";
 
diff --git a/frontend/src/messages.ts b/frontend/src/messages.ts
index f44d8a036a..29eb37439c 100644
--- a/frontend/src/messages.ts
+++ b/frontend/src/messages.ts
@@ -1,8 +1,8 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 
-import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { Transform, Type, plainToClass } from "class-transformer";
 
+import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { type PopoverButtonStyle, type IconName, type IconSize } from "@graphite/icons";
 
 export class JsMessage {
diff --git a/frontend/src/subscription-router.ts b/frontend/src/subscription-router.ts
index 9b42eb0c1b..d807a0085f 100644
--- a/frontend/src/subscription-router.ts
+++ b/frontend/src/subscription-router.ts
@@ -1,6 +1,6 @@
-import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { plainToInstance } from "class-transformer";
 
+import { type EditorHandle } from "@graphite/../wasm/pkg/graphite_wasm";
 import { type JsMessageType, messageMakers, type JsMessage } from "@graphite/messages";
 
 type JsMessageCallback<T extends JsMessage> = (messageData: T) => void;

From aa1431bf547871730626269218f279a7f7e0b086 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 22 Dec 2025 22:54:56 +0000
Subject: [PATCH 4/4] Use &apos; instead of &#039; for apostrophe escaping

Co-authored-by: Keavon <4388688+Keavon@users.noreply.github.com>
---
 frontend/src/components/floating-menus/Tooltip.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/components/floating-menus/Tooltip.svelte b/frontend/src/components/floating-menus/Tooltip.svelte
index fbaf4a1dc2..e30e8e3c48 100644
--- a/frontend/src/components/floating-menus/Tooltip.svelte
+++ b/frontend/src/components/floating-menus/Tooltip.svelte
@@ -34,7 +34,7 @@
 	}
 
 	function escapeHtml(text: string): string {
-		return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+		return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
 	}
 
 	function parseMarkdown(markdown: string | undefined): string | undefined {