Skip to content

fix(web): avoid crashes on malformed Markdown hash links#608

Open
VectorPeak wants to merge 1 commit into
HKUDS:devfrom
VectorPeak:codex/markdown-safe-hash-decode
Open

fix(web): avoid crashes on malformed Markdown hash links#608
VectorPeak wants to merge 1 commit into
HKUDS:devfrom
VectorPeak:codex/markdown-safe-hash-decode

Conversation

@VectorPeak

@VectorPeak VectorPeak commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes malformed Markdown hash-link decoding in the frontend renderers.

Previously, hash links were decoded with decodeURIComponent(...) directly. If a hash contained malformed percent-encoding, the renderer click/scroll path could throw instead of gracefully falling back. This PR adds safeDecodeURIComponent(...), uses it in both rich and simple Markdown renderers, and covers valid plus malformed hash components with node tests.

Concrete failing payload:

[bad](#%E0%A4%A)

The affected click path is:

user/model Markdown
  -> SimpleMarkdownRenderer / RichMarkdownRenderer
  -> anchor or citation onClick handler
  -> safeDecodeURIComponent(href.slice(1))
  -> document.getElementById(...)
  -> scroll when a target exists

This only changes in-page hash target decoding for Markdown scrolling. It does not change URL sanitization, external links, attachment links, Markdown normalization, citation formatting, or scroll behavior for valid anchors.

Related Issues

  • Related to malformed Markdown/hash anchor handling

Module(s) Affected

  • agents
  • api
  • config
  • core
  • knowledge
  • logging
  • services
  • tools
  • utils
  • web (Frontend)
  • docs (Documentation)
  • scripts
  • tests
  • Other: ...

Checklist

  • I have read and followed the contribution guidelines.
  • My code follows the project's coding standards.
  • I have run pre-commit run --all-files and fixed any issues.
  • I have added relevant tests for my changes.
  • I have updated the documentation (if necessary). Not required for this frontend bug fix.
  • My changes do not introduce any new security vulnerabilities.

Additional Notes

Evidence:

Before this change, malformed hash components could throw while handling an in-page Markdown link click:

decodeURIComponent("%E0%A4%A")
// URIError: malformed URI sequence

After this change:

safeDecodeURIComponent("section%201") === "section 1"
safeDecodeURIComponent("%E0%A4%A") === "%E0%A4%A"

That keeps valid encoded anchors working while making malformed anchors degrade safely to the raw hash component.

Validation performed locally:

.\node_modules\.bin\tsc.cmd -p tsconfig.node-tests.json
# passed, exit 0

node --test dist\node-tests\tests\markdown-display.test.js
# passed, 33 tests, 0 failed

node --test <all compiled node tests>
# passed, 157 tests, 0 failed

npm run lint
# exit 0, 0 errors; repository currently reports warnings outside this change

git diff --check
# passed

Note: npm run test:node currently exits with code 1 in this Windows workspace without printing a failing test case. Running the same underlying steps manually (tsc.cmd compile followed by node --test over the compiled tests) passes successfully.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant