PF5: Copy response text as both plain text and rich HTML

[kyoto]

When an OLS response is copied to the clipboard, write both text/plain (raw Markdown) and text/html (rendered HTML via marked) so that pasting into rich text editors preserves formatting, while plain text editors still receive the raw Markdown.

Made-with: Cursor

Summary by CodeRabbit

• New Features
  • Clipboard now captures both plain-text and formatted HTML versions of copied content, enabling better compatibility with applications that support rich text formatting.

[coderabbitai]

📝 Walkthrough

Walkthrough

The marked library is added as a runtime dependency, and the copyToClipboard function is refactored to convert input text to HTML using marked.parse, then write both plain text and HTML formats to the clipboard asynchronously via ClipboardItem.

Changes

Cohort / File(s)	Summary
Dependency Addition package.json	Added marked@14.0.0 as a runtime dependency.
Clipboard Functionality Refactor src/clipboard.ts	Converted copyToClipboard from synchronous to asynchronous; now uses marked.parse to generate HTML representation and writes both text/plain and text/html formats via ClipboardItem instead of plain-text writeText.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A markdown whisper, parsed with care,
Clipboard now holds both formats fair,
From text to HTML, async and true,
Rich content ready, fresh and new! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: copying response text with both plain text and HTML formatting support, which aligns with the primary modifications to the clipboard utility.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/clipboard.ts`:
- Around line 5-10: marked.parse(value) currently emits unsanitized HTML and you
unconditionally use ClipboardItem/navigator.clipboard.write which will fail in
older browsers; fix by sanitizing the HTML output (e.g., call
DOMPurify.sanitize(html) on the result of marked.parse(value)) and then use
ClipboardItem and navigator.clipboard.write only when both ClipboardItem and
navigator.clipboard.write are available, otherwise fall back to
navigator.clipboard.writeText(value); update references inside this block
(marked.parse, the html variable, ClipboardItem, navigator.clipboard.write,
navigator.clipboard.writeText) to use the sanitized HTML and the fallback
branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e32c2bd6-2b3b-4384-ab7c-f6b902fc1e89

📥 Commits

Reviewing files that changed from the base of the PR and between 6051650 and aefe679.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json
• src/clipboard.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -type f -name "clipboard.ts" | head -20

Repository: openshift/lightspeed-console

Length of output: 91

---

🏁 Script executed:

cat -n ./src/clipboard.ts

Repository: openshift/lightspeed-console

Length of output: 696

---

🏁 Script executed:

# Check for marked configuration and sanitization
rg "marked\." --type ts --type js | head -20

Repository: openshift/lightspeed-console

Length of output: 137

---

🏁 Script executed:

# Check package.json for marked version and dependencies
cat -n package.json | grep -A 20 "marked"

Repository: openshift/lightspeed-console

Length of output: 826

---

🏁 Script executed:

# Check if DOMPurify or other sanitization libraries are used
rg "DOMPurify|sanitize" --type ts --type js

Repository: openshift/lightspeed-console

Length of output: 54

---

🏁 Script executed:

# Check if there are other clipboard-related utilities or tests that might show the expected behavior
rg "copyToClipboard\|clipboard" --type ts --type js -l

Repository: openshift/lightspeed-console

Length of output: 54

---

🌐 Web query:

marked 14.0.0 sanitization HTML security

💡 Result:

In marked version 14.0.0, there is no built-in HTML sanitization feature. The legacy 'sanitize' and 'sanitizer' options were removed in version 8.0.0. Marked explicitly warns that it does not sanitize output HTML and users must apply a separate sanitization library to prevent XSS attacks when processing untrusted input. Key security guidance from official documentation: - Marked converts Markdown (including raw HTML blocks) to HTML without filtering dangerous content like script tags or malicious attributes. - Recommended approach: Parse with marked first, then sanitize the resulting HTML. - Primary recommendation: Use DOMPurify.sanitize(marked.parse(markdown)). - Alternatives: sanitize-html, insane, or js-xss. Example for secure usage: import { marked } from 'marked'; import DOMPurify from 'dompurify'; const safeHtml = DOMPurify.sanitize(marked.parse(userMarkdown)); Using extensions with hooks.postprocess: marked.use({ hooks: { postprocess(html) { return DOMPurify.sanitize(html); } } }); No XSS vulnerabilities are reported specifically for marked 14.0.0 in security databases like Snyk or GitHub Advisories. Past issues (pre-v4) involved ReDoS, fixed long ago. Version 14.0.0 (released Aug 2024) focuses on renderer changes, with no sanitization-related updates. For untrusted user input, always sanitize post-parsing to mitigate risks from raw HTML in Markdown.

Citations:

• 1: https://github.com/markedjs/marked/releases/tag/v14.0.0
• 2: Sanitize and sanitizer markedjs/marked#1232
• 3: Sanitize hardening markedjs/marked#1504
• 4: https://www.npmjs.com/package/marked?activeTab=versions
• 5: Add optional sanitizer option for easier secure rendering with DOMPurify markedjs/marked#3943
• 6: https://github.com/markedjs/marked/blob/v18.0.0/docs/INDEX.md
• 7: https://github.com/markedjs/marked/blob/master/docs/USING_ADVANCED.md
• 8: http://marked.js.org/
• 9: https://marked.js.org/using_advanced
• 10: https://marked.js.org/using_pro
• 11: https://security.snyk.io/package/npm/marked/14.0.0
• 12: https://github.com/markedjs/marked/security

---

🏁 Script executed:

# Check if marked has a sanitizer option or if there's any config
rg "new marked\|marked\.setOptions\|marked\.defaults" --type ts --type js

Repository: openshift/lightspeed-console

Length of output: 54

---

Sanitize the HTML and add a fallback for older browsers.

marked.parse(value) preserves raw HTML from the markdown source, and marked 14.0.0 has no built-in sanitization. The text/html clipboard payload can carry untrusted markup into downstream paste targets without external sanitization. Additionally, this implementation unconditionally depends on ClipboardItem/navigator.clipboard.write(), so browsers without support for the richer clipboard API will silently fail instead of falling back to navigator.clipboard.writeText(value).

Recommendations:

• Sanitize the generated HTML before placing it on the clipboard (use DOMPurify or similar)
• Add a fallback branch for browsers without ClipboardItem support

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/clipboard.ts` around lines 5 - 10, marked.parse(value) currently emits
unsanitized HTML and you unconditionally use
ClipboardItem/navigator.clipboard.write which will fail in older browsers; fix
by sanitizing the HTML output (e.g., call DOMPurify.sanitize(html) on the result
of marked.parse(value)) and then use ClipboardItem and navigator.clipboard.write
only when both ClipboardItem and navigator.clipboard.write are available,
otherwise fall back to navigator.clipboard.writeText(value); update references
inside this block (marked.parse, the html variable, ClipboardItem,
navigator.clipboard.write, navigator.clipboard.writeText) to use the sanitized
HTML and the fallback branch.