Add code-preview layout and web component example page

[juliawu]

Adds a new code-preview template type that shows source code and a rendered HTML example webpage side-byside.

Part 3 in a series of PRs implementing the changes described in #678.

Changes Made

This PR:

• Adds a new code-preview.html layout
• Adds CSS for the new layout
• Adds a README.md with instructions for how to add new examples in the future
• Updates _config.yaml so these files don't get built into webpages by Jekyll

To view the new code-preview layout example:

1. Checkout this PR
2. Spin up a local instance of the docsite
3. Visit http://localhost:4000/api/web_components/examples/all-charts.html

Screenshots

Desktop

Mobile

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the documentation site by introducing a new display format for web component examples. It allows users to view the source code and a live, interactive preview of a component simultaneously, improving clarity and ease of understanding. This change provides a structured way to present examples, making it easier for developers to learn and integrate web components.

Highlights

• New Code Preview Layout: Introduced a new Jekyll layout, code-preview.html, designed to display source code and a rendered HTML example side-by-side, enhancing the documentation for web components.
• Styling for Code Preview: Added dedicated CSS (code-preview.scss) to style the new layout, ensuring a clear and responsive presentation of the source code and live preview sections.
• Example Documentation: Provided a README.md file with comprehensive instructions on how to add new web component examples using the code-preview layout, streamlining future contributions.
• Jekyll Configuration Update: Modified _config.yml to exclude README.md files from being processed and built by Jekyll, preventing unintended publication of internal documentation.
• Web Component Example Page: Added an initial example page (all-charts.md) demonstrating the new code-preview layout for web components, serving as a template for future examples.

Changelog

• _config.yml
  • Excluded **/README.md from Jekyll's build process to prevent them from being rendered as web pages.
• _layouts/code-preview.html
  • Added a new Jekyll layout for displaying source code and a live iframe preview.
  • Integrated Prism.js for syntax highlighting of the displayed source code.
  • Implemented client-side fetching of the iframe content's source code for display.
• api/web_components/examples/README.md
  • Added a new README file providing detailed instructions on how to add new web component examples using the code-preview layout.
• api/web_components/examples/all-charts.md
  • Created a new markdown file to serve as an example page for web components, configured to use the code-preview layout and link to an all-charts.html asset.
• assets/css/code-preview.scss
  • Added new SCSS rules to define the visual layout for the code preview, including side-by-side display on larger screens and stacked display on smaller screens.
  • Styled the source code and preview panels, including headers and scrollable content areas.

Activity

• No human activity (comments, reviews) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new code-preview layout, a great feature for showcasing web component examples with a side-by-side view of the code and rendered output. However, a security audit identified potential Cross-Site Scripting (XSS) vulnerabilities due to Liquid template variables being rendered without proper escaping or sanitization. Specifically, the page.iframe_content_url variable is vulnerable to script breakout and javascript: URI injection, and page.title lacks escaping in the <title> tag. These issues should be addressed by applying appropriate Liquid filters like escape and jsonify to prevent XSS.

[gemini-code-assist]

The iframe's src attribute is populated directly from page.iframe_content_url. If an attacker can control this variable, they can use a javascript: URI to execute arbitrary code in the context of the page. While the escape filter prevents HTML injection, it does not block javascript: URIs. Consider adding a check to ensure the URL starts with a safe prefix like / or https://. Additionally, for security hardening, it's a good practice to add the sandbox="allow-scripts" attribute to restrict actions the content within the iframe can perform, reducing the impact of potential issues.

            <iframe id="iframe" src="{{ page.iframe_content_url | escape }}" sandbox="allow-scripts"></iframe>

[juliawu]

Good bot. Done.

[nick-nlb]

A follow-up (and complication) from the above suggestion: the allow-javascript is locking the iframe down heavily (normally exactly what we would want) but it is also by default turning off the allow-popups option, which has a side-effect of preventing clicks on the links like the sources (because they open in a new tab).

Since we completely control the content inside the iframe, and this content only relies on DC code, we could add allow-popups to allow the links to work.

[nick-nlb]

One last comment that I added before in here (it was hidden because it was in a resolved conversation)!

[nick-nlb]

A follow-up (and complication) from the above suggestion: the allow-javascript is locking the iframe down heavily (normally exactly what we would want) but it is also by default turning off the allow-popups option, which has a side-effect of preventing clicks on the links like the sources (because they open in a new tab).

Since we completely control the content inside the iframe, and this content only relies on DC code, we could add allow-popups to allow the links to work.

[nick-nlb]

Just the one last comment that was hidden (a follow-up to the bot suggestion), and then LGTM!

[juliawu]

Just the one last comment that was hidden (a follow-up to the bot suggestion), and then LGTM!

Great callout, fixed!