fix: some validation issues with markdown rendering and parsing

Author: devdumpling

app/components/AppHeader.vue

@@ -14,7 +14,10 @@ const { isConnected, npmUser } = useConnector()
 </script>
 
 <template>
-  <header class="sticky top-0 z-50 bg-bg/80 backdrop-blur-md border-b border-border">
+  <header
+    aria-label="Site header"
+    class="sticky top-0 z-50 bg-bg/80 backdrop-blur-md border-b border-border"
+  >
     <nav aria-label="Main navigation" class="container h-14 flex items-center">
       <!-- Left: Logo -->
       <div class="flex-shrink-0">

app/pages/docs/[...path].vue

@@ -89,8 +89,11 @@ const showEmptyState = computed(() => docsData.value?.status !== 'ok')
 
 <template>
   <div class="docs-page min-h-screen">
+    <!-- Visually hidden h1 for accessibility -->
+    <h1 class="sr-only">{{ packageName }} API Documentation</h1>
+
     <!-- Sticky header - positioned below AppHeader -->
-    <header class="docs-header sticky z-10 bg-bg/95 backdrop-blur border-b border-border">
+    <header aria-label="Package documentation header" class="docs-header sticky z-10 bg-bg/95 backdrop-blur border-b border-border">
       <div class="px-4 sm:px-6 lg:px-8 py-4">
         <div class="flex items-center justify-between gap-4">
           <div class="flex items-center gap-3 min-w-0">
@@ -219,8 +222,7 @@ const showEmptyState = computed(() => docsData.value?.status !== 'ok')
 }
 
 .docs-content .docs-section-title {
-  @apply text-lg font-semibold text-fg mb-8 pb-3 pt-4 border-b border-border;
-  @apply sticky bg-bg z-[2];
+  @apply text-lg font-semibold text-fg mb-8 pb-3 pt-4 border-b border-border sticky bg-bg z-[2];
   top: var(--combined-header-height);
 }
 

server/utils/code-highlight.ts

@@ -268,6 +268,9 @@ export async function highlightCode(
         theme: 'github-dark',
       })
 
+      // Shiki doesn't encode > in text content (e.g., arrow functions)
+      html = escapeRawGt(html)
+
       // Make import statements clickable for JS/TS languages
       if (IMPORT_LANGUAGES.has(language)) {
         html = linkifyImports(html, {

server/utils/docs.ts

@@ -71,8 +71,11 @@ interface MergedSymbol {
   jsDoc?: DenoDocNode['jsDoc']
 }
 
-/** Map of symbol names to anchor IDs for cross-referencing */
-type SymbolLookup = Map<string, string>
+/**
+ * Map of symbol names to anchor IDs for cross-referencing.
+ * @internal Exported for testing
+ */
+export type SymbolLookup = Map<string, string>
 
 // =============================================================================
 // Main API
@@ -614,7 +617,7 @@ function renderToc(symbols: MergedSymbol[]): string {
   const grouped = groupMergedByKind(symbols)
   const lines: string[] = []
 
-  lines.push(`<nav class="toc text-sm">`)
+  lines.push(`<nav class="toc text-sm" aria-label="Table of contents">`)
   lines.push(`<ul class="space-y-3">`)
 
   for (const kind of KIND_DISPLAY_ORDER) {
@@ -769,8 +772,10 @@ function createSymbolId(kind: string, name: string): string {
  * - {@link https://example.com} - external URL
  * - {@link https://example.com Link Text} - external URL with label
  * - {@link SomeSymbol} - internal cross-reference
+ *
+ * @internal Exported for testing
  */
-function parseJsDocLinks(text: string, symbolLookup: SymbolLookup): string {
+export function parseJsDocLinks(text: string, symbolLookup: SymbolLookup): string {
   let result = escapeHtml(text)
 
   result = result.replace(/\{@link\s+([^\s}]+)(?:\s+([^}]+))?\}/g, (_, target, label) => {
@@ -796,23 +801,28 @@ function parseJsDocLinks(text: string, symbolLookup: SymbolLookup): string {
 
 /**
  * Render simple markdown-like formatting.
+ * Uses <br> for line breaks to avoid nesting issues with inline elements.
+ *
+ * @internal Exported for testing
  */
-function renderMarkdown(text: string, symbolLookup: SymbolLookup): string {
+export function renderMarkdown(text: string, symbolLookup: SymbolLookup): string {
   let result = parseJsDocLinks(text, symbolLookup)
 
   result = result
     .replace(/`([^`]+)`/g, '<code class="docs-inline-code">$1</code>')
     .replace(/\*\*([^*]+)\*\*/g, '<strong>$1</strong>')
-    .replace(/\n\n/g, '</p><p class="mt-2">')
+    .replace(/\n\n+/g, '<br><br>')
     .replace(/\n/g, '<br>')
 
   return result
 }
 
 /**
  * Escape HTML special characters.
+ *
+ * @internal Exported for testing
  */
-function escapeHtml(text: string): string {
+export function escapeHtml(text: string): string {
   return text
     .replace(/&/g, '&amp;')
     .replace(/</g, '&lt;')

server/utils/readme.ts

@@ -272,10 +272,12 @@ export async function renderReadmeHtml(
     // Use Shiki if language is loaded, otherwise fall back to plain
     if (loadedLangs.includes(language as never)) {
       try {
-        return shiki.codeToHtml(text, {
+        const html = shiki.codeToHtml(text, {
           lang: language,
           theme: 'github-dark',
         })
+        // Shiki doesn't encode > in text content (e.g., arrow functions)
+        return escapeRawGt(html)
       } catch {
         // Fall back to plain code block
       }

server/utils/shiki.ts

@@ -55,10 +55,13 @@ export async function highlightCodeBlock(code: string, language: string): Promis
 
   if (loadedLangs.includes(language as never)) {
     try {
-      return shiki.codeToHtml(code, {
+      const html = shiki.codeToHtml(code, {
         lang: language,
         theme: 'github-dark',
       })
+      // Shiki doesn't encode > in text content (e.g., arrow functions =>)
+      // We need to encode them for HTML validation
+      return escapeRawGt(html)
     } catch {
       // Fall back to plain
     }
@@ -68,3 +71,20 @@ export async function highlightCodeBlock(code: string, language: string): Promis
   const escaped = code.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;')
   return `<pre><code class="language-${language}">${escaped}</code></pre>\n`
 }
+
+/**
+ * Escape raw > characters in HTML text content.
+ * Shiki outputs > without encoding in constructs like arrow functions (=>).
+ * This replaces > that appear in text content (after >) but not inside tags.
+ *
+ * @internal Exported for testing
+ */
+export function escapeRawGt(html: string): string {
+  // Match > that appears after a closing tag or other > (i.e., in text content)
+  // Pattern: after </...> or after >, match any > that isn't starting a tag
+  return html.replace(/>([^<]*)/g, (match, textContent) => {
+    // Encode any > in the text content portion
+    const escapedText = textContent.replace(/>/g, '&gt;')
+    return `>${escapedText}`
+  })
+}

test/unit/docs-text.spec.ts

@@ -0,0 +1,146 @@
+import { describe, expect, it } from 'vitest'
+import {
+  escapeHtml,
+  parseJsDocLinks,
+  renderMarkdown,
+  type SymbolLookup,
+} from '../../server/utils/docs'
+
+describe('escapeHtml', () => {
+  it('should escape < and >', () => {
+    expect(escapeHtml('<script>')).toBe('&lt;script&gt;')
+  })
+
+  it('should escape &', () => {
+    expect(escapeHtml('foo & bar')).toBe('foo &amp; bar')
+  })
+
+  it('should escape quotes', () => {
+    expect(escapeHtml('"hello"')).toBe('&quot;hello&quot;')
+    expect(escapeHtml("'hello'")).toBe('&#39;hello&#39;')
+  })
+
+  it('should handle multiple special characters', () => {
+    expect(escapeHtml('<a href="test?a=1&b=2">'))
+      .toBe('&lt;a href=&quot;test?a=1&amp;b=2&quot;&gt;')
+  })
+
+  it('should return empty string for empty input', () => {
+    expect(escapeHtml('')).toBe('')
+  })
+
+  it('should not modify text without special characters', () => {
+    expect(escapeHtml('hello world')).toBe('hello world')
+  })
+})
+
+describe('parseJsDocLinks', () => {
+  const emptyLookup: SymbolLookup = new Map()
+
+  it('should convert external URLs to links', () => {
+    const result = parseJsDocLinks('{@link https://example.com}', emptyLookup)
+    expect(result).toContain('href="https://example.com"')
+    expect(result).toContain('target="_blank"')
+    expect(result).toContain('rel="noopener"')
+  })
+
+  it('should handle external URLs with labels', () => {
+    const result = parseJsDocLinks('{@link https://example.com Example Site}', emptyLookup)
+    expect(result).toContain('href="https://example.com"')
+    expect(result).toContain('>Example Site</a>')
+  })
+
+  it('should convert internal symbol references to anchor links', () => {
+    const lookup: SymbolLookup = new Map([['MyFunction', 'function-MyFunction']])
+    const result = parseJsDocLinks('{@link MyFunction}', lookup)
+    expect(result).toContain('href="#function-MyFunction"')
+    expect(result).toContain('docs-symbol-link')
+  })
+
+  it('should render unknown symbols as code', () => {
+    const result = parseJsDocLinks('{@link UnknownSymbol}', emptyLookup)
+    expect(result).toContain('<code class="docs-symbol-ref">UnknownSymbol</code>')
+  })
+
+  it('should escape HTML in surrounding text', () => {
+    const result = parseJsDocLinks('Use <T> with {@link https://example.com}', emptyLookup)
+    expect(result).toContain('&lt;T&gt;')
+  })
+
+  it('should handle multiple links', () => {
+    const result = parseJsDocLinks(
+      'See {@link https://a.com} and {@link https://b.com}',
+      emptyLookup,
+    )
+    expect(result).toContain('href="https://a.com"')
+    expect(result).toContain('href="https://b.com"')
+  })
+
+  it('should not convert non-http URLs to links', () => {
+    const result = parseJsDocLinks('{@link javascript:alert(1)}', emptyLookup)
+    // Should be treated as unknown symbol, not a link
+    expect(result).not.toContain('href="javascript:')
+    expect(result).toContain('<code')
+  })
+
+  it('should handle http URLs (not just https)', () => {
+    const result = parseJsDocLinks('{@link http://example.com}', emptyLookup)
+    expect(result).toContain('href="http://example.com"')
+  })
+})
+
+describe('renderMarkdown', () => {
+  const emptyLookup: SymbolLookup = new Map()
+
+  it('should convert inline code', () => {
+    const result = renderMarkdown('Use `foo()` here', emptyLookup)
+    expect(result).toContain('<code class="docs-inline-code">foo()</code>')
+  })
+
+  it('should escape HTML inside inline code', () => {
+    const result = renderMarkdown('Use `Array<T>` here', emptyLookup)
+    expect(result).toContain('&lt;T&gt;')
+    expect(result).not.toContain('<T>')
+  })
+
+  it('should convert bold text', () => {
+    const result = renderMarkdown('This is **important**', emptyLookup)
+    expect(result).toContain('<strong>important</strong>')
+  })
+
+  it('should convert single newlines to <br>', () => {
+    const result = renderMarkdown('line 1\nline 2', emptyLookup)
+    expect(result).toBe('line 1<br>line 2')
+  })
+
+  it('should convert double newlines to <br><br>', () => {
+    const result = renderMarkdown('paragraph 1\n\nparagraph 2', emptyLookup)
+    expect(result).toBe('paragraph 1<br><br>paragraph 2')
+  })
+
+  it('should handle multiple formatting in same text', () => {
+    const result = renderMarkdown('Use `foo()` for **important** tasks', emptyLookup)
+    expect(result).toContain('<code class="docs-inline-code">foo()</code>')
+    expect(result).toContain('<strong>important</strong>')
+  })
+
+  it('should process {@link} tags', () => {
+    const lookup: SymbolLookup = new Map([['MyFunc', 'function-MyFunc']])
+    const result = renderMarkdown('See {@link MyFunc} for details', lookup)
+    expect(result).toContain('href="#function-MyFunc"')
+  })
+
+  it('should escape HTML in regular text', () => {
+    const result = renderMarkdown('Returns <T> or null', emptyLookup)
+    expect(result).toContain('&lt;T&gt;')
+  })
+
+  it('should handle empty string', () => {
+    expect(renderMarkdown('', emptyLookup)).toBe('')
+  })
+
+  it('should handle text with only whitespace', () => {
+    const result = renderMarkdown('  \n  ', emptyLookup)
+    expect(result).toBe('  <br>  ')
+  })
+})