fix(files): harden the markdown editor (CRLF chunking, href allowlist, image escaping)

Final-audit follow-ups:
- splitMarkdownBlocks normalizes CRLF/CR first — a closing fence ending in \r
  no longer fails to match, which had collapsed Windows-authored files with
  fenced code into one block and defeated the linear chunker (perf regression).
- normalizeLinkHref rejects file://, blob:, and other non-network schemes
  (script/data schemes already rejected); network scheme:// (http/ftp/…) and
  bare host:port still pass.
- Image markdown serialization escapes alt/title delimiters and angle-brackets
  a src with spaces/parens, so they round-trip losslessly; linked-image anchors
  open in a new tab (target=_blank).
- Markdown paste routes through the chunker so a large pasted blob can't freeze
  the main thread.

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/image.tsx

@@ -68,8 +68,11 @@ function imageMarkdown(node: JSONContent): string {
     if (height) parts.push(`height="${escapeAttr(String(height))}"`)
     image = `<img ${parts.join(' ')}>`
   } else {
-    const titlePart = title ? ` "${title}"` : ''
-    image = `![${alt}](${src}${titlePart})`
+    // Escape so an alt with `]`/`[` or a title with `"` can't break out of the `![…](… "…")` syntax
+    // and corrupt the round-trip; a src with spaces/parens goes in angle brackets (CommonMark).
+    const titlePart = title ? ` "${title.replace(/["\\]/g, '\\$&')}"` : ''
+    const safeSrc = /[\s()]/.test(src) ? `<${src}>` : src
+    image = `![${alt.replace(/[\\[\]]/g, '\\$&')}](${safeSrc}${titlePart})`
   }
   if (!href) return image
   const hrefTitlePart = hrefTitle ? ` "${hrefTitle}"` : ''
@@ -245,7 +248,7 @@ function ResizableImageView({ node, updateAttributes, selected, editor }: ReactN
   return (
     <NodeViewWrapper className='relative my-4 inline-block leading-none'>
       {safeHref ? (
-        <a href={safeHref} rel='noopener noreferrer' className='block'>
+        <a href={safeHref} target='_blank' rel='noopener noreferrer' className='block'>
           {image}
         </a>
       ) : (

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/markdown-fidelity.ts

@@ -32,20 +32,32 @@ export function applyFrontmatter(frontmatter: string, body: string): string {
   return frontmatter + body
 }
 
+/** A leading `scheme://` URL (network protocol). */
+const SCHEME_URL = /^([a-z][a-z0-9+.-]*):\/\//i
+/** A leading `scheme:` token (per the URL grammar). */
+const HAS_SCHEME = /^[a-z][a-z0-9+.-]*:/i
+/** A bare `host:port` (digits after the colon) — looks scheme-like but is really a domain. */
+const HOST_PORT = /^[a-z0-9.-]+:\d+(?:[/?#]|$)/i
+
 /**
  * Normalize a user-entered link target: prefix a bare domain with `https://` so it doesn't resolve
  * as an in-app relative URL, while leaving already-qualified, relative, and protocol-relative URLs
- * intact. Dangerous schemes (`javascript:`, `data:`, `vbscript:`, `file:`) are rejected outright
- * rather than mangled into a broken `https://javascript:…`.
+ * intact. Dangerous schemes are rejected outright rather than trusted or mangled: any `scheme:`
+ * without `//` other than `mailto:`/`tel:` (so `javascript:`, `data:`, `vbscript:`, `blob:`, …), and
+ * `file://` (local file access). Other network `scheme://` URLs (`http(s)`, `ftp`, …) pass through.
  */
 export function normalizeLinkHref(href: string): string {
   const trimmed = href.trim()
   if (!trimmed) return ''
-  if (/^(?:javascript|data|vbscript|file):/i.test(trimmed)) return ''
-  if (/^(?:https?:\/\/|mailto:|tel:|[#?])/i.test(trimmed)) return trimmed
+  if (/^[#?]/.test(trimmed)) return trimmed
   if (trimmed.startsWith('//')) return `https:${trimmed}`
   if (trimmed.startsWith('/')) return trimmed
-  if (/^[a-z][a-z0-9+.-]*:\/\//i.test(trimmed)) return trimmed
+  if (/^(?:mailto|tel):/i.test(trimmed)) return trimmed
+  const schemed = trimmed.match(SCHEME_URL)
+  if (schemed) return /^file$/i.test(schemed[1]) ? '' : trimmed
+  // A `scheme:` without `//` (and not mailto/tel) is a script/data scheme — reject it. A bare
+  // host:port (digits after the colon) is a domain, not a scheme, so it falls through to https.
+  if (HAS_SCHEME.test(trimmed) && !HOST_PORT.test(trimmed)) return ''
   return `https://${trimmed}`
 }
 

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/markdown-parse.test.ts

@@ -126,6 +126,12 @@ describe('parseMarkdownToDoc (chunked)', () => {
     it('a multi-paragraph list item (indented continuation) stays one block', () => {
       expect(splitMarkdownBlocks('1. first\n\n   second para\n\n2. next')).toHaveLength(1)
     })
+    it('CRLF line endings still split (a closing fence ending in \\r must close)', () => {
+      // A Windows-authored file with fenced code must not collapse to one block (which would defeat
+      // the chunker); the closer ending in `\r` has to match. Assert block COUNT, not just fidelity.
+      const crlf = '```ts\r\nx\r\n```\r\n\r\npara1\r\n\r\npara2\r\n\r\npara3'
+      expect(splitMarkdownBlocks(crlf)).toEqual(['```ts\nx\n```', 'para1', 'para2', 'para3'])
+    })
   })
 
   it('matches one-shot on a large mixed document (the case the chunker exists for)', () => {

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/markdown-parse.ts

@@ -57,7 +57,10 @@ const BLOCKQUOTE = /^[ ]{0,3}>/
  * would silently shatter nested fences.
  */
 export function splitMarkdownBlocks(body: string): string[] {
-  const lines = body.split('\n')
+  // Normalize CRLF/CR first: the fence/list/blockquote line tests anchor on `$`, so a trailing `\r`
+  // would stop a closing fence matching and swallow the rest of a Windows-authored file into one
+  // block (defeating the chunker). The editor normalizes `\r` on parse anyway, so meaning is unchanged.
+  const lines = body.replace(/\r\n?/g, '\n').split('\n')
   const groups: string[] = []
   let current: string[] = []
   let fence: string | null = null

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/markdown-paste.ts

@@ -1,5 +1,6 @@
 import { Extension } from '@tiptap/core'
 import { Plugin } from '@tiptap/pm/state'
+import { parseMarkdownToDoc } from './markdown-parse'
 
 /**
  * Markdown syntax hints. If pasted plain text matches any of these, it's parsed as markdown rather
@@ -41,9 +42,11 @@ export const MarkdownPaste = Extension.create({
             if (html) return false
             const text = event.clipboardData?.getData('text/plain')
             if (!text || !looksLikeMarkdown(text)) return false
-            const json = editor.markdown?.parse(text)
-            if (!json) return false
-            return editor.commands.insertContent(json)
+            // Parse through the chunker (linear) so pasting a large markdown blob can't freeze the
+            // main thread the way the underlying superlinear parse would.
+            const doc = parseMarkdownToDoc(text)
+            if (!doc.content?.length) return false
+            return editor.commands.insertContent(doc)
           },
         },
       }),

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/round-trip.test.ts

@@ -112,6 +112,11 @@ describe('markdown-fidelity utils', () => {
     expect(normalizeLinkHref('data:text/html,<script>')).toBe('')
     expect(normalizeLinkHref('//cdn.example.com/a.js')).toBe('https://cdn.example.com/a.js')
     expect(normalizeLinkHref('ftp://host/file')).toBe('ftp://host/file')
+    // Dangerous schemes rejected; a bare host:port is still treated as a domain.
+    expect(normalizeLinkHref('file:///etc/passwd')).toBe('')
+    expect(normalizeLinkHref('blob:https://x.com/uuid')).toBe('')
+    expect(normalizeLinkHref('vbscript:msgbox(1)')).toBe('')
+    expect(normalizeLinkHref('localhost:3000/path')).toBe('https://localhost:3000/path')
   })
 
   it('collapses trailing blank lines and preserves leading whitespace', () => {
@@ -171,6 +176,13 @@ describe('editor markdown round-trip', () => {
     expect(out).toContain('![alt](https://example.com/i.png)')
   })
 
+  it('round-trips an image whose alt/title contain delimiter characters (idempotent)', () => {
+    const input = '![a [b] c](https://example.com/i.png "ti\\"tle")'
+    const out = roundTrip(input)
+    expect(roundTrip(out)).toBe(out)
+    expect(out).toContain('https://example.com/i.png')
+  })
+
   it('round-trips a linked image / badge (keeps the wrapping link)', () => {
     const out = roundTrip(
       '[![build](https://img.shields.io/badge/x-green)](https://ci.example.com)'