(text: string)
| 43 | |
| 44 | // Strip HTML tags and escape remaining HTML to prevent XSS |
| 45 | function stripAndEscapeHtml(text: string): string { |
| 46 | // First decode any HTML entities in the input |
| 47 | let stripped = decodeHtmlEntities(text) |
| 48 | |
| 49 | // Then strip markdown image badges |
| 50 | stripped = stripMarkdownImages(stripped) |
| 51 | |
| 52 | // Strip actual HTML tags (keep their text content), but leave tags inside backtick spans |
| 53 | // The alternation matches a backtick span first — if that branch wins the match is kept as-is |
| 54 | stripped = stripped.replace( |
| 55 | /(`[^`]*`)|<\/?[a-z][^>]*>/gi, |
| 56 | (match, codeSpan: string | undefined) => codeSpan ?? '', |
| 57 | ) |
| 58 | |
| 59 | // Strip HTML comments: <!-- ... --> (including unclosed comments from truncation) |
| 60 | stripped = stripped.replace( |
| 61 | /(`[^`]*`)|<!--[\s\S]*?(-->|$)/g, |
| 62 | (match, codeSpan: string | undefined) => codeSpan ?? '', |
| 63 | ) |
| 64 | |
| 65 | // Then escape any remaining HTML entities |
| 66 | return stripped |
| 67 | .replace(/&/g, '&') |
| 68 | .replace(/</g, '<') |
| 69 | .replace(/>/g, '>') |
| 70 | .replace(/"/g, '"') |
| 71 | .replace(/'/g, ''') |
| 72 | } |
| 73 | |
| 74 | // Parse simple inline markdown to HTML |
| 75 | function parseMarkdown({ text, plain }: UseMarkdownOptions): string { |
no test coverage detected