fix: address review comments on PR #447

[narutamaaurum]

This PR addresses the review comments from CodeRabbit and Qodo on the original PR #447:

Fixes

1. Fixed missing React import in playground-editor.tsx (Critical bug from Qodo)

   • Added to named imports from React
   • Changed to

2. Removed redundant variable assignment in code-line.tsx (CodeRabbit nitpick)

   • Removed and used directly

3. Added HTML escaping to prevent XSS (CodeRabbit security concern)

   • Added function to sanitize input before
   • Applied escaping in function

Testing

• Build passes successfully ()
• No new TypeScript errors introduced in modified files

Closes #442

Summary by CodeRabbit

• Refactor
  • Improved syntax highlighting for code lines for more accurate and stable highlighting of keywords, strings, and identifiers.
  • Enhanced editor responsiveness by memoizing language-update logic so the editor switches languages more reliably when files change.
  • Adjusted terminal startup so the prompt appears immediately after welcome messages, making the terminal ready for input sooner.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[github-actions]

👋 Thanks for opening a PR, @narutamaaurum!

Your PR has entered the 🚦 PR Review Pipeline.

⚪ Standard PR detected — your PR will follow the standard review pipeline.

---

What happens next

Stage	Reviewer	Checks
Stage 1 — Automated Validation	🤖 Bot	DCO · Format · AI/Slop · Duplicate
Stage 2 — Human Review	👥 Maintainer	Code + Quality Review
Stage 3 — PA / Maintainer Review	🔑 Project Admin	Final Merge Decision

A pipeline status comment will appear below and update automatically as your PR progresses.

---

While you wait

• Sign all commits (git commit -s)
• Link your issue (Closes #123)
• Use a feature branch (not main)
• Avoid unrelated changes

This comment is posted only once.

[coderabbitai]

Walkthrough

Removes eslint exhaustive-deps suppressions across three modules: extracts syntax-highlighting helpers in CodeLine, memoizes updateEditorLanguage in playground-editor, and writes the terminal initial prompt during initialization while cleaning up hook-lint suppressions.

Changes

React Hook Dependencies and Exhaustive-Deps Suppressions

Layer / File(s)	Summary
Code-line syntax highlighting helpers extraction modules/home/code-line.tsx	Top-level escapeHtml, highlightCode, and highlight helpers are introduced; CodeLine computes highlighted via React.useMemo(() => highlight(line), [line]), replacing prior state/effect update logic and removing eslint suppression.
Playground editor language update memoization modules/playground/components/playground-editor.tsx	useCallback is imported; updateEditorLanguage is wrapped with useCallback(activeFile) and the useEffect now depends on activeFile and the memoized updateEditorLanguage, replacing prior lint suppression.
Terminal initialization prompt and dependency fixes modules/webcontainers/components/terminal.tsx	initializeTerminal writes the initial prompt immediately after welcome messages; eslint hook-lint suppression comments were removed from initialization and cleanup effects without changing runtime cleanup behavior.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• piyushdotcomm/Editron#445: Refactors the same three modules with overlapping changes—extracting highlighting helpers, memoizing updateEditorLanguage, and removing exhaustive-deps suppressions.
• piyushdotcomm/Editron#184: Modifies playground-editor.tsx around updateEditorLanguage implementation and hook dependencies.

Suggested Labels

bug, gssoc:approved

Suggested Reviewers

• piyushdotcomm
• Maxd646

Poem

🐰 I hopped through hooks and linted lines,
Helpers neat and callback vines,
The terminal prompts a cheerful cheer,
Commented rules no longer near,
Code shines bright — a rabbit's rhyme. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'fix: address review comments on PR #447' is vague and does not clearly summarize the actual changes made (refactoring hooks with useMemo/useCallback and adding XSS protection).	Consider a more descriptive title like 'fix: remove exhaustive-deps by refactoring hooks and adding XSS protection' to better convey the primary changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers key fixes with specific file changes and testing validation, aligning well with the template structure despite some formatting inconsistencies in code references.
Linked Issues check	✅ Passed	The PR successfully addresses all objectives from #442: removed exhaustive-deps suppressions, added useCallback memoization in playground-editor.tsx, replaced useState+useEffect with useMemo in code-line.tsx, and added XSS protection via HTML escaping.
Out of Scope Changes check	✅ Passed	All changes are in-scope: hook dependency fixes and removal of eslint suppressions per #442, plus XSS mitigation and a missing React import that are closely related review comments from PR #447.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

modules/home/code-line.tsx (1)

31-36: ⚡ Quick win

Avoid derived state for synchronous highlighting.

highlighted is fully derived from line; useState + useEffect adds an extra render per CodeLine instance.

Recommended refactor

 export const CodeLine = ({ line }: { line: string }) => {
-    const [highlighted, setHighlighted] = React.useState<React.ReactNode>(line);
-
-    React.useEffect(() => {
-        setHighlighted(highlight(line));
-    }, [line]);
-
-    return highlighted;
+    const highlighted = React.useMemo(() => highlight(line), [line]);
+    return highlighted;
 };

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/home/code-line.tsx` around lines 31 - 36, The component CodeLine
currently stores derived state highlighted (via React.useState and
React.useEffect) even though highlighted is a pure synchronous transformation of
the prop line (using highlight), causing an extra render; remove the state and
effect and compute highlighted directly (or use React.useMemo(() =>
highlight(line), [line])) inside CodeLine so the UI renders once and still
updates when line changes, referencing the highlighted variable, the highlight
function, and the line prop for where to apply the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/home/code-line.tsx`:
- Around line 24-26: The comment parsing in the code-line.tsx branch uses
text.split('//') but only renders parts[0] and parts[1], dropping any additional
segments; update the rendering in the if (text.includes('//')) branch so that
after splitting you reconstruct the full comment by joining
parts.slice(1).join('//') (prefixing with '//' as before) and render
highlightCode(parts[0]) for the code portion and the reconstructed comment
string for the comment span; reference the variables text, parts and the
function highlightCode to locate the change.
- Around line 5-11: The string token highlighting fails because escapeHtml
transforms quotes into HTML entities before highlightCode runs its string
regexes (/'[^']*'/g and /"[^"]*"/g), so those patterns never match; fix by
running the tokenizer/highlighter against the raw input (call highlightCode on
the original text before calling escapeHtml) or by applying the string regexes
to the unescaped text and only escaping content when wrapping tokens for output;
update the flow in functions escapeHtml and highlightCode so string matching
happens on unescaped text and ensure any inserted HTML is escaped when you build
the final markup.

---

Nitpick comments:
In `@modules/home/code-line.tsx`:
- Around line 31-36: The component CodeLine currently stores derived state
highlighted (via React.useState and React.useEffect) even though highlighted is
a pure synchronous transformation of the prop line (using highlight), causing an
extra render; remove the state and effect and compute highlighted directly (or
use React.useMemo(() => highlight(line), [line])) inside CodeLine so the UI
renders once and still updates when line changes, referencing the highlighted
variable, the highlight function, and the line prop for where to apply the
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: c37d1e67-fae7-4a1f-90b5-74aa1f366520

📥 Commits

Reviewing files that changed from the base of the PR and between f12b223 and 5473a53.

📒 Files selected for processing (3)

• modules/home/code-line.tsx
• modules/playground/components/playground-editor.tsx
• modules/webcontainers/components/terminal.tsx

💤 Files with no reviewable changes (1)

• modules/webcontainers/components/terminal.tsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and inspect the file in question
FILE="modules/home/code-line.tsx"
echo "=== File exists? ==="
ls -la "$FILE" || true

echo "=== Lines 1-120 (for context) ==="
nl -ba "$FILE" | sed -n '1,160p'

echo "=== Find escapeHtml / highlightCode / highlight / dangerouslySetInnerHTML usages ==="
rg -n "escapeHtml|highlightCode|highlight\(|dangerouslySetInnerHTML|split\\(.*//|useState|useEffect" "$FILE" || true

echo "=== Extract suspected string/token regexes (around where comment references lines 18-19) ==="
# Print a small window around line numbers referenced by the review comment.
nl -ba "$FILE" | sed -n '10,60p'

echo "=== If present, inspect any string regex patterns ==="
rg -n --hidden --no-ignore -S "['\"]|string|literal|regex|match|replace\\(\\/.*\\/" "$FILE" || true

Repository: piyushdotcomm/Editron

Length of output: 258

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="modules/home/code-line.tsx"
echo "=== File exists? ==="
ls -la "$FILE" || true

echo "=== Lines 1-180 (context) ==="
cat -n "$FILE" | sed -n '1,180p'

echo "=== Find key symbols/usages ==="
rg -n "escapeHtml|highlightCode|highlight\\(|dangerouslySetInnerHTML|split\\(|useState|useEffect" "$FILE" || true

echo "=== Extract escapeHtml function body (best-effort) ==="
# Print around the first occurrence of escapeHtml
LINE=$(rg -n "escapeHtml" "$FILE" | head -n 1 | cut -d: -f1 || true)
if [[ -n "${LINE:-}" ]]; then
  START=$((LINE-10))
  END=$((LINE+40))
  (( START<1 )) && START=1
  cat -n "$FILE" | sed -n "${START},${END}p"
fi

echo "=== Extract highlightCode/highlight usage sections ==="
rg -n "highlightCode|highlight\\(" "$FILE" || true

for pat in "highlightCode" "highlight(" "dangerouslySetInnerHTML" "split\\(" "useEffect" "useState"; do
  echo "=== Around first match of: $pat ==="
  LINE=$(rg -n "$pat" "$FILE" | head -n 1 | cut -d: -f1 || true)
  if [[ -z "${LINE:-}" ]]; then
    echo "No match for $pat"
    continue
  fi
  START=$((LINE-15))
  END=$((LINE+60))
  (( START<1 )) && START=1
  (( END>9999 )) && END=9999
  cat -n "$FILE" | sed -n "${START},${END}p"
done

Repository: piyushdotcomm/Editron

Length of output: 11559

---

Quote escaping breaks string token highlighting.

highlightCode escapes the input via escapeHtml (turning " into " and ' into &#39;) before applying the string regexes (/'[^']*'/g and /"[^"]*"/g`), so quoted literals never match and don’t get highlighted.

Proposed fix

 const escapeHtml = (text: string) => {
     return text
         .replace(/&/g, "&")
         .replace(/</g, "&lt;")
-        .replace(/>/g, "&gt;")
-        .replace(/"/g, "&quot;")
-        .replace(/'/g, "&`#039`;");
+        .replace(/>/g, "&gt;");
 };

Also applies to: 18-19

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/home/code-line.tsx` around lines 5 - 11, The string token
highlighting fails because escapeHtml transforms quotes into HTML entities
before highlightCode runs its string regexes (/'[^']*'/g and /"[^"]*"/g), so
those patterns never match; fix by running the tokenizer/highlighter against the
raw input (call highlightCode on the original text before calling escapeHtml) or
by applying the string regexes to the unescaped text and only escaping content
when wrapping tokens for output; update the flow in functions escapeHtml and
highlightCode so string matching happens on unescaped text and ensure any
inserted HTML is escaped when you build the final markup.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and display the relevant portion of the file
FILE="modules/home/code-line.tsx"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE"
  exit 1
fi

echo "---- $FILE (lines 1-120) ----"
nl -ba "$FILE" | sed -n '1,120p'

echo "---- $FILE (lines 18-40) ----"
nl -ba "$FILE" | sed -n '18,40p'

echo "---- $FILE: find split('//') usage ----"
rg -n "split\(['\"]//['\"]\)" "$FILE" || true

Repository: piyushdotcomm/Editron

Length of output: 178

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="modules/home/code-line.tsx"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE"
  exit 1
fi

echo "---- $FILE (lines 1-140) ----"
awk 'NR>=1 && NR<=140 { printf "%6d\t%s\n", NR, $0 }' "$FILE"

echo "---- $FILE: find split('//') usage ----"
rg -n "split\(['\"]//['\"]\)" "$FILE" || true

echo "---- $FILE: find text.split usages ----"
rg -n "text\.split\(" "$FILE" || true

Repository: piyushdotcomm/Editron

Length of output: 1994

---

Fix highlight() dropping content after additional //

text.split('//') is used, but only parts[0] and parts[1] are rendered ('//' + parts[1]), so any subsequent // segments (e.g., parts[2+]) are lost.

Proposed fix

 const highlight = (text: string) => {
     if (text.includes('//')) {
-        const parts = text.split('//');
-        return <><span dangerouslySetInnerHTML={{ __html: highlightCode(parts[0]) }} /><span className="text-slate-500 italic">{'//' + parts[1]}</span></>;
+        const commentStart = text.indexOf('//');
+        const codePart = text.slice(0, commentStart);
+        const commentPart = text.slice(commentStart);
+        return (
+            <>
+                <span dangerouslySetInnerHTML={{ __html: highlightCode(codePart) }} />
+                <span className="text-slate-500 italic">{commentPart}</span>
+            </>
+        );
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (text.includes('//')) {
	const parts = text.split('//');
	return <><span dangerouslySetInnerHTML={{ __html: highlightCode(parts[0]) }} /><span className="text-slate-500 italic">{'//' + parts[1]}</span></>;
	if (text.includes('//')) {
	const commentStart = text.indexOf('//');
	const codePart = text.slice(0, commentStart);
	const commentPart = text.slice(commentStart);
	return (
	<>
	<span dangerouslySetInnerHTML={{ __html: highlightCode(codePart) }} />
	<span className="text-slate-500 italic">{commentPart}</span>
	</>
	);
	}

🧰 Tools

🪛 ast-grep (0.43.0)

[warning] 25-25: Usage of dangerouslySetInnerHTML detected. This bypasses React's built-in XSS protection. Always sanitize HTML content using libraries like DOMPurify before injecting it into the DOM to prevent XSS attacks.
Context: dangerouslySetInnerHTML
Note: [CWE-79] Improper Neutralization of Input During Web Page Generation

(react-unsafe-html-injection)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/home/code-line.tsx` around lines 24 - 26, The comment parsing in the
code-line.tsx branch uses text.split('//') but only renders parts[0] and
parts[1], dropping any additional segments; update the rendering in the if
(text.includes('//')) branch so that after splitting you reconstruct the full
comment by joining parts.slice(1).join('//') (prefixing with '//' as before) and
render highlightCode(parts[0]) for the code portion and the reconstructed
comment string for the comment span; reference the variables text, parts and the
function highlightCode to locate the change.

[narutamaaurum]

Addressed the CodeRabbit nitpick: replaced + with for the derived state in component. This avoids an extra render per instance since is a pure synchronous transformation of the prop.

[coderabbitai]

♻️ Duplicate comments (2)

modules/home/code-line.tsx (2)

24-26: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Comment parsing drops content after additional //.

text.split('//') on line 25 produces an array, but line 26 only renders parts[0] and parts[1], discarding parts[2+]. For example, const url = "http://example.com"; // comment splits into three parts, but the final segment ( comment) is lost.

🔧 Proposed fix: use indexOf to split at the first `//`

 const highlight = (text: string) => {
     if (text.includes('//')) {
-        const parts = text.split('//');
-        return <><span dangerouslySetInnerHTML={{ __html: highlightCode(parts[0]) }} /><span className="text-slate-500 italic">{'//' + parts[1]}</span></>;
+        const commentStart = text.indexOf('//');
+        const codePart = text.slice(0, commentStart);
+        const commentPart = text.slice(commentStart);
+        return (
+            <>
+                <span dangerouslySetInnerHTML={{ __html: highlightCode(codePart) }} />
+                <span className="text-slate-500 italic">{commentPart}</span>
+            </>
+        );
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/home/code-line.tsx` around lines 24 - 26, The current logic in the
component handling `text` uses `text.split('//')` and renders only `parts[0]`
and `parts[1]`, which discards any later segments; instead locate the first
comment marker with `indexOf('//')`, split once into `code` and `comment`, then
render `highlightCode(code)` and the full comment string (prefixed with `//`) so
multi-`//` strings like URLs are preserved; update the code that defines `parts`
and the returned JSX (references: variable `text`, the `parts` usage, and
`highlightCode`) to use that single-index split approach.

---

14-21: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Quote escaping breaks string token highlighting.

highlightCode calls escapeHtml on line 15, transforming " into " and ' into &#39; before applying the string-literal regexes on lines 18-19. The patterns /'[^']*'/g and /"[^"]*"/g expect literal quote characters and will never match the escaped entities, so string literals remain unhighlighted.

🔧 Proposed fix: apply string regexes before escaping

Refactor highlightCode to tokenize/wrap strings on the raw input, then escape the final assembled HTML:

 const highlightCode = (code: string) => {
-    const escaped = escapeHtml(code);
-    return escaped
+    return code
         .replace(/import|from|export|default|return|const|new/g, '<span class="text-red-500 dark:text-red-400 font-semibold">$&</span>')
         .replace(/'[^']*'/g, '<span class="text-amber-600 dark:text-amber-400">$&</span>')
         .replace(/"[^"]*"/g, '<span class="text-amber-600 dark:text-amber-400">$&</span>')
-        .replace(/Editron|console|editor/g, '<span class="text-rose-600 dark:text-rose-400">$&</span>');
+        .replace(/Editron|console|editor/g, '<span class="text-rose-600 dark:text-rose-400">$&</span>')
+        .replace(/[&<>]/g, (char) => {
+            const entities: Record<string, string> = { '&': '&amp;', '<': '&lt;', '>': '&gt;' };
+            return entities[char] || char;
+        });
 };

This escapes &<> at the end (after wrapping tokens) while leaving quotes intact for the regexes to match. Note: quotes inside the matched token text do not need escaping because they will be rendered as text content within the <span> tags inserted by dangerouslySetInnerHTML.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/home/code-line.tsx` around lines 14 - 21, highlightCode currently
escapes quotes before matching string regexes so string literals never match;
fix by performing the string literal and token wrapping on the raw code first,
then escaping the rest. Concretely: in highlightCode, run the /'[^']*'/ and
/"[^"]*"/ and identifier/keyword replacements (and any other token replacements
like /Editron|console|editor/ and the keyword regex) on the original code but
emit unique placeholders (e.g. __SPAN_0__, __SPAN_1__) for each wrapped span,
then call escapeHtml on the placeholder-filled text to safely escape &,<,> and
finally replace the placeholders with their corresponding <span> HTML fragments.
This preserves quote characters for matching and prevents escaping the injected
span tags; refer to highlightCode and escapeHtml when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@modules/home/code-line.tsx`:
- Around line 24-26: The current logic in the component handling `text` uses
`text.split('//')` and renders only `parts[0]` and `parts[1]`, which discards
any later segments; instead locate the first comment marker with
`indexOf('//')`, split once into `code` and `comment`, then render
`highlightCode(code)` and the full comment string (prefixed with `//`) so
multi-`//` strings like URLs are preserved; update the code that defines `parts`
and the returned JSX (references: variable `text`, the `parts` usage, and
`highlightCode`) to use that single-index split approach.
- Around line 14-21: highlightCode currently escapes quotes before matching
string regexes so string literals never match; fix by performing the string
literal and token wrapping on the raw code first, then escaping the rest.
Concretely: in highlightCode, run the /'[^']*'/ and /"[^"]*"/ and
identifier/keyword replacements (and any other token replacements like
/Editron|console|editor/ and the keyword regex) on the original code but emit
unique placeholders (e.g. __SPAN_0__, __SPAN_1__) for each wrapped span, then
call escapeHtml on the placeholder-filled text to safely escape &,<,> and
finally replace the placeholders with their corresponding <span> HTML fragments.
This preserves quote characters for matching and prevents escaping the injected
span tags; refer to highlightCode and escapeHtml when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: db357689-9840-4513-a31a-76cb1d082688

📥 Commits

Reviewing files that changed from the base of the PR and between 5473a53 and af940f8.

📒 Files selected for processing (1)

• modules/home/code-line.tsx

[narutamaaurum]

Superseded by #481 which addresses the remaining CodeRabbit review comments. Closing this PR.