Open
Conversation
`sanitize.ts` mixes a pure DOMPurify wrapper with React/jotai state that transitively imports the full editor/codemirror/SQL panel tree, including `.svg`/`.png` database icon assets added in #8528. This breaks the marimo-lsp VS Code extension build — esbuild bundles `transitionCell` from `core/cells/cell.ts`, which reaches `sanitize.ts` via `outline.ts`, pulling in assets it has no loader for. This has blocked upgrading the frontend dependency in marimo-lsp since 0.20.2. No logic changes. `sanitizeHtml` and its DOMPurify hooks move to `sanitize-html.ts`, `outline.ts` imports from there directly, and `sanitize.ts` re-exports for backward compat.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR decouples HTML sanitization from React/jotai state so non-UI consumers (notably the marimo-lsp VS Code extension bundle) don’t transitively pull in the editor tree and its static assets.
Changes:
- Moved the pure
DOMPurifywrapper (sanitizeHtml+ hooks) into a new standalone modulesanitize-html.ts. - Updated
core/dom/outline.tsto importsanitizeHtmlfrom the standalone module to avoid dragging in editor-related dependencies. - Kept backward compatibility by re-exporting
sanitizeHtmlfrom the existingsanitize.ts.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| frontend/src/plugins/core/sanitize.ts | Removes DOMPurify implementation and re-exports sanitizeHtml from the new standalone module. |
| frontend/src/plugins/core/sanitize-html.ts | New standalone module containing DOMPurify hooks + sanitizeHtml implementation. |
| frontend/src/core/dom/outline.ts | Swaps import to use the standalone sanitize-html module directly. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| tagNameCheck: /^(marimo-[A-Za-z][\w-]*|iconify-icon)$/, | ||
| attributeNameCheck: /^[A-Za-z][\w-]*$/, | ||
| }, | ||
| // This flag means we should sanitize such that is it safe for XML, |
mscolnick
approved these changes
Mar 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
sanitize.tsmixes a pure DOMPurify wrapper with React/jotai state that transitively imports the full editor/codemirror/SQL panel tree, including.svg/.pngdatabase icon assets added in #8528.This breaks the marimo-lsp VS Code extension build — esbuild bundles
transitionCellfromcore/cells/cell.ts, which reachessanitize.tsviaoutline.ts, pulling in assets it has no loader for. This has blocked upgrading the frontend dependency in marimo-lsp since 0.20.2.No logic changes.
sanitizeHtmland its DOMPurify hooks move tosanitize-html.ts,outline.tsimports from there directly, andsanitize.tsre-exports for backward compat.