Skip to content

Add Chrome extension with host/toolbar architecture for viewing Interactive Document files #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add Chrome extension with host/toolbar architecture for viewing Interactive Document files #52

wants to merge 8 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 22, 2025
edited
Loading

  • Add Chrome extension with host/toolbar architecture for viewing Interactive Document files
  • Implement automatic file detection for .idoc.md and .idoc.json files
  • Use secure sandbox infrastructure for iframe-based rendering
  • Integrate toolbar with "view source" and "download" functionality
  • Follow Chrome Manifest V3 standards
  • Reuse existing UMD bundles for consistency
  • Revert package-lock.json to original state and merge main
  • Regenerate package-lock.json after merging latest changes

The Chrome extension now follows the established host/toolbar architecture and has been properly synchronized with the latest main branch. The package-lock.json has been regenerated to reflect the current dependency state after merging main.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@danmarshall danmarshall changed the title [WIP] Let's create a chrome extension. it should live in the packages folder, just like the vscode extension does. It is unclear to me if it should use the markdown renderer directly or the sandbox. I suspect the latter, for security reasons but I'm not expe... Chrome Extension Aug 22, 2025
@Copilot @danmarshall
Add Chrome extension for viewing Interactive Documents
17b37fd 
Co-authored-by: danmarshall <11507384+danmarshall@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 22, 2025
View reviewed changes
@Copilot @danmarshall
Complete Chrome extension with improved icons, test files, and docume…
783dd94 
…ntation

Co-authored-by: danmarshall <11507384+danmarshall@users.noreply.github.com>
@Copilot Copilot AI changed the title Chrome Extension Add Chrome extension for viewing Interactive Document files Aug 22, 2025
@Copilot Copilot AI requested a review from danmarshall August 22, 2025 22:01
Copilot finished work on behalf of danmarshall August 22, 2025 22:01
@danmarshall
Copy link
Collaborator

@copilot nice job. Now see that we should use the host/toolbar model that we do in web/frontend and vscode. lets make sure to have all mesasge types in the common project. perhaps you can even resuse some of those instead of creating new ones. the toolbar should enable 'view source', and 'download'

@Copilot @danmarshall
Refactor Chrome extension to use host/toolbar architecture
6276024 
Co-authored-by: danmarshall <11507384+danmarshall@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 22, 2025
View reviewed changes
packages/chrome-extension/src/content.ts
Comment on lines +234 to +238
errorDiv.innerHTML = `
<h3>Error Loading Viewer</h3>
<p>${error.message}</p>
<button onclick="this.parentElement.remove()">Close</button>
`;

Check warning

Code scanning / CodeQL

Exception text reinterpreted as HTML Medium

Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 27 days ago

To fix this vulnerability, the exception message (error.message) must be HTML-escaped before being inserted into a template string and assigned to innerHTML. This prevents malicious input from being interpreted as markup or script. A simple HTML-escaping function must be added (e.g., converting <, >, &, ", and ' to their respective HTML entities). The fix should be inserted in the same file, with the escaping function defined locally or imported if appropriate (preferably local, as we're restricted to code within the shown file). Replace the direct reference to ${error.message} on line 236 with the escaped version via escapeHtml(error.message).

Required changes:

  • Add a utility function, e.g., escapeHtml(str: string): string near the top of the file.
  • During error display (line 236), replace interpolation of error.message with escapeHtml(error.message).
Suggested changeset 1
packages/chrome-extension/src/content.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/chrome-extension/src/content.ts b/packages/chrome-extension/src/content.ts
--- a/packages/chrome-extension/src/content.ts
+++ b/packages/chrome-extension/src/content.ts
@@ -3,6 +3,16 @@
  * Licensed under the MIT License.
  */
 
+// Utility to escape HTML for safe insertion into innerHTML
+function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, '&amp;')
+   .replace(/</g, '&lt;')
+   .replace(/>/g, '&gt;')
+   .replace(/"/g, '&quot;')
+   .replace(/'/g, '&#39;');
+}
+
 // Content script that runs on pages with .idoc files
 (function() {
   'use strict';
@@ -233,7 +243,7 @@
       `;
       errorDiv.innerHTML = `
         <h3>Error Loading Viewer</h3>
-        <p>${error.message}</p>
+        <p>${escapeHtml(error.message)}</p>
         <button onclick="this.parentElement.remove()">Close</button>
       `;
       document.body.appendChild(errorDiv);
EOF
@@ -3,6 +3,16 @@
* Licensed under the MIT License.
*/

// Utility to escape HTML for safe insertion into innerHTML
function escapeHtml(str: string): string {
return str
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;');
}

// Content script that runs on pages with .idoc files
(function() {
'use strict';
@@ -233,7 +243,7 @@
`;
errorDiv.innerHTML = `
<h3>Error Loading Viewer</h3>
<p>${error.message}</p>
<p>${escapeHtml(error.message)}</p>
<button onclick="this.parentElement.remove()">Close</button>
`;
document.body.appendChild(errorDiv);
Copilot is powered by AI and may make mistakes. Always verify output.
@Copilot @danmarshall
Complete Chrome extension refactoring with host/toolbar architecture
52a0fdd 
Co-authored-by: danmarshall <11507384+danmarshall@users.noreply.github.com>
@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Aug 22, 2025

@copilot nice job. Now see that we should use the host/toolbar model that we do in web/frontend and vscode. lets make sure to have all mesasge types in the common project. perhaps you can even resuse ...

I've refactored the Chrome extension to use the host/toolbar model as requested. The changes include:

  • Replaced custom overlay with Chartifact.host.Listener and Chartifact.toolbar.Toolbar
  • Reused existing UMD bundles (host, sandbox, compiler) for consistency
  • Configured toolbar with "view source" and "download" buttons (tweakButton and downloadButton)
  • Uses the same architecture patterns as web-frontend and vscode

The toolbar now properly supports viewing source code and downloading files as requested. The implementation follows the established host/toolbar model throughout the codebase.

Commit: 52a0fdd

@Copilot Copilot AI changed the title Add Chrome extension for viewing Interactive Document files Add Chrome extension with host/toolbar architecture for viewing Interactive Document files Aug 22, 2025
Copilot finished work on behalf of danmarshall August 22, 2025 23:34
@danmarshall danmarshall marked this pull request as ready for review September 3, 2025 17:33
@danmarshall
Copy link
Collaborator

@copilot can you undo your package-lock, merge main, and then regenerate it?

Copilot AI and others added 3 commits September 3, 2025 17:38
@Copilot
Revert package-lock.json to original state before merging main
7c0ab4c
@Copilot
Merge branch 'main' of https://github.com/microsoft/chartifact into c…
ee50d99 
…opilot/fix-2a1a315d-3920-477b-ae2a-6148752c1e85

# Please enter a commit message to explain why this merge is necessary,
# especially if it merges an updated upstream into a topic branch.
#
# Lines starting with '#' will be ignored, and an empty message aborts
# the commit.
@Copilot @danmarshall
Regenerate package-lock.json after merging main
bd65bd6 
Co-authored-by: danmarshall <11507384+danmarshall@users.noreply.github.com>
@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Sep 3, 2025

@copilot can you undo your package-lock, merge main, and then regenerate it?

Done! I've reverted the package-lock.json changes, merged main, and regenerated the package-lock.json. The changes are now properly synchronized with the latest main branch.

Commit: bd65bd6

Copilot finished work on behalf of danmarshall September 3, 2025 17:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danmarshall danmarshall Awaiting requested review from danmarshall

Assignees

@danmarshall danmarshall

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Copilot @danmarshall