chore: message parser limit on the client

[gabriellsh]

Proposed changes (including videos or screenshots)

This PR is a complementary of #40306. On this PR we are making consistent the behavior between the BE and FE regarding message parsing, with the use of the new MESSAGE_MAX_PARSE_LENGTH environment variable.

Issue(s)

CORE-2211

Steps to test or reproduce

1. Setup: Run Rocket.Chat with the MESSAGE_MAX_PARSE_LENGTH environment variable set to 100.

2. Under Limit: Send a message with < 100 characters containing markdown (e.g., Hello **bold**). Verify the markdown renders correctly. In the database, the message must contain the md property.

3. Over Limit: Send a message with > 100 characters containing markdown. Verify it renders as plain text (raw asterisks).

4. Contexts: Verify the same behavior (under vs. over limit) inside a Thread and when Quoting/Replying.

5. Editing: Edit a short message (currently rendered) and add text to exceed 100 characters. Verify it loses markdown formatting upon saving.

6. Translations: Enable Auto Translate in a room (Administration > Settings > Message > Auto Translate — requires a translation service configured as per the Auto Translate documentation). Set the target language and send a message in a different language with > 100 characters containing markdown. Verify that the message renders as plain text using the translated text, not the original source language. Also verify the "Translated" indicator is still shown. Repeat inside a Thread parent preview and when Quoting/Replying.

7. Disabled State: Re-run Rocket.Chat with the MESSAGE_MAX_PARSE_LENGTH env var set to 0. Verify that every message now render markdown correctly again (0 means disabled).

Further comments

Summary by CodeRabbit

Release Notes

• New Features

  • Added a configurable markdown parsing limit (from a page setting).

• Improvements

  • Messages and inline markdown that exceed the limit now render as plain text (thread/message parsing and inline rendering).
  • Markdown rendering refreshed to use a shared, limit-aware renderer.

• Bug Fixes

  • Fixed contact history message rendering when block data is missing, with correct handling for markdown vs plain text.

• Tests

  • Expanded parser-limit coverage and added unit tests for cached page meta and limit computation.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: f7601ca

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 078dd79f-d821-41c5-863d-a9659eafaeea

📥 Commits

Reviewing files that changed from the base of the PR and between 1805c66 and f7601ca.

📒 Files selected for processing (1)

• apps/meteor/client/lib/normalizeThreadMessage.spec.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/client/lib/normalizeThreadMessage.spec.tsx

---

Walkthrough

Introduces a configurable markdown parsing length limit sourced from a rc-message-parser-max-length page meta tag via new getPageMeta and getMarkdownParserLimit helpers. Guards all markdown parsing paths (MarkdownText, parseMessageTextToAstMarkdown, normalizeThreadMessage) to skip full parsing and return plain text for over-limit content. Extracts MarkdownTextInner from MarkdownText with all rendering logic and adds a fallback in ContactHistoryMessage for messages without md.

Changes

Markdown Parser Length Limit

Layer / File(s)	Summary
getPageMeta cached DOM helper apps/meteor/client/lib/getPageMeta.ts, apps/meteor/client/lib/getPageMeta.spec.ts	Adds a cached DOM meta tag reader with SSR guard, try/catch, and null caching. Tests verify read, missing, and cache persistence.
getMarkdownParserLimit utility apps/meteor/client/lib/getMarkdownParserLimit.ts, apps/meteor/client/lib/getMarkdownParserLimit.spec.ts	Reads rc-message-parser-max-length from page meta, validates the parsed integer, and falls back to MESSAGE_MAX_PARSE_LENGTH_DEFAULT or Infinity. Tests cover null, zero, negative, invalid, and valid inputs.
MarkdownTextInner marked and sanitization logic apps/meteor/client/components/MarkdownTextInner.tsx	Consolidates marked rendering configuration with variant-specific renderers, URI regex helpers, DOMPurify hook registration, and useMemo computation. Parses markdown, optionally transforms emoji, conditionally sanitizes, replaces internal-link tokens with translations, and renders via dangerouslySetInnerHTML.
MarkdownText limit-checked wrapper apps/meteor/client/components/MarkdownText.tsx, apps/meteor/client/components/MarkdownText.spec.tsx	Thin wrapper that checks content length against the parser limit; short-circuits to plain Box text when over-limit, delegates to MarkdownTextInner otherwise. Re-exports supportedURISchemes. Tests validate limit boundary behavior.
parseMessageTextToAstMarkdown guard apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts, apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts	Adds an early return in textToMessageToken producing a PARAGRAPH/PLAIN_TEXT token when input exceeds the parser limit. Tests cover over-limit message, over-limit attachment, within-limit, and pre-existing md bypass.
normalizeThreadMessage guard apps/meteor/client/lib/normalizeThreadMessage.tsx, apps/meteor/client/lib/normalizeThreadMessage.spec.tsx	Introduces tryParseWithLimit that applies filterMarkdown, enforces the parser limit with a plain-text fallback, and swallows parse errors as undefined. Tests cover all branches including parse failure and attachment title/description rendering.
ContactHistoryMessage raw msg fallback apps/meteor/client/views/omnichannel/contactHistory/MessageList/ContactHistoryMessage.tsx	Changes the MessageBody condition to fire on !message.blocks alone, rendering MessageContentBody when message.md exists or falling back to raw message.msg.

Sequence Diagram

sequenceDiagram
    participant Client as MarkdownText Component
    participant Limit as getMarkdownParserLimit()
    participant Inner as MarkdownTextInner
    participant Marked as marked.parse()
    participant DOMPurify as DOMPurify.sanitize()
    
    Client->>Limit: check content.length
    Limit-->>Client: return parsed limit
    alt content length exceeds limit
        Client->>Client: render plain Box
    else within limit
        Client->>Inner: delegate with props
        Inner->>Marked: parse content
        Marked-->>Inner: HTML string
        Inner->>DOMPurify: sanitize HTML
        DOMPurify-->>Inner: cleaned HTML
        Inner->>Inner: replace internal-link tokens
        Inner-->>Client: rendered output
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

• KevLehman
• dougfabris

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: message parser limit on the client' accurately describes the main change: implementing client-side message parser limiting functionality for markdown parsing.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)

• CORE-2211: Request failed with status code 401
• SUP-1019: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

❌ Patch coverage is 95.12195% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.17%. Comparing base (fbf3672) to head (f7601ca).
⚠️ Report is 36 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40600      +/-   ##
===========================================
+ Coverage    70.08%   70.17%   +0.09%     
===========================================
  Files         3357     3366       +9     
  Lines       129543   129867     +324     
  Branches     22474    23066     +592     
===========================================
+ Hits         90787    91132     +345     
+ Misses       35456    35415      -41     
- Partials      3300     3320      +20     

Flag	Coverage Δ
e2e	59.35% <71.20%> (+0.12%)	⬆️
e2e-api	47.11% <ø> (+0.90%)	⬆️
unit	70.06% <94.73%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR aligns the client-side rendering/parsing behavior with the server’s new MESSAGE_MAX_PARSE_LENGTH setting by skipping markdown parsing when message text exceeds the configured limit, falling back to plain-text rendering.

Changes:

• Add client-side limit resolution (rc-message-parser-max-length meta) and caching utilities (getPageMeta, getMarkdownParserLimit).
• Enforce the limit in key parsing/rendering paths (parseMessageTextToAstMarkdown, normalizeThreadMessage, MarkdownText, omnichannel contact history).
• Add unit tests covering limit behavior across parsing and UI components.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
apps/meteor/client/views/omnichannel/contactHistory/MessageList/ContactHistoryMessage.tsx	Render plain message.msg when md is absent (e.g., parsing skipped).
apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts	Skip parsing and return a plain-text AST when text exceeds the configured limit.
apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts	Add tests for “over limit” plain-text AST behavior (message + attachments).
apps/meteor/client/lib/normalizeThreadMessage.tsx	Apply the parser limit to thread preview normalization, falling back to plain-text tokens.
apps/meteor/client/lib/normalizeThreadMessage.spec.tsx	Add tests validating “within limit” vs “over limit” behavior and error handling.
apps/meteor/client/lib/getPageMeta.ts	Add meta tag reader with in-memory caching.
apps/meteor/client/lib/getPageMeta.spec.ts	Add tests for meta reading and caching behavior.
apps/meteor/client/lib/getMarkdownParserLimit.ts	Resolve the markdown parser limit from meta/default constant with “0 disables” semantics.
apps/meteor/client/lib/getMarkdownParserLimit.spec.ts	Add tests for limit resolution from meta/default constant.
apps/meteor/client/components/message/content/attachments/QuoteAttachment.tsx	Adjust quote rendering fallback when md is missing (but introduces a regression risk).
apps/meteor/client/components/MarkdownTextInner.tsx	Extract previous MarkdownText parsing/sanitization implementation into an inner component.
apps/meteor/client/components/MarkdownText.tsx	Add limit-based early return to render plain text without parsing.
apps/meteor/client/components/MarkdownText.spec.tsx	Add tests for limit-based plain-text vs parsed rendering.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[FragaKrummenauer]

QA Report — PR #40600

Tested locally with MESSAGE_MAX_PARSE_LENGTH=100 (and 0 for regression check). All 14 cases passed:

• ✅ Short message (< 100 chars) → renders markdown
• ✅ Long message (> 100 chars) → plain text
• ✅ Thread: short → markdown, long → plain text
• ✅ Edit short→long (crosses limit) → plain text
• ✅ Edit long→short (drops below limit) → markdown renders again
• ✅ Quote + short reply → markdown, Quote + long reply → plain text
• ✅ Boundary: exactly 100 chars → renders markdown, 101 chars → plain text
• ✅ DM: short → markdown, long → plain text
• ✅ Page reload: long message stays as plain text
• ✅ MESSAGE_MAX_PARSE_LENGTH=0 (disabled): long messages render markdown normally — no regression

Note: The limit uses strict > — a message of exactly 100 chars still renders markdown, only from 101 onward, parsing is skipped. Just flagging in case the intent was >=.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

apps/meteor/client/lib/getMarkdownParserLimit.spec.ts (1)

40-67: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add malformed-number format tests to lock parser behavior.

Please add cases for values like "100abc" and "1e3" so the suite enforces strict numeric acceptance and prevents future regressions around permissive parsing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/client/lib/getMarkdownParserLimit.spec.ts` around lines 40 - 67,
The test suite for getMarkdownParserLimit is missing coverage for edge cases
with malformed numeric formats that could expose permissive parsing behavior.
Add two new test cases after the existing tests: one that mocks
getPageMetaMock.mockReturnValue with '100abc' to verify handling of numbers with
appended non-numeric characters, and another with '1e3' to verify handling of
scientific notation. Both should verify the expected behavior of
getMarkdownParserLimit() against the intended strict numeric acceptance rules to
prevent future regressions around parsing edge cases.

apps/meteor/client/components/MarkdownTextInner.tsx (1)

108-114: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Remove inline implementation comments to match repo style.

These comments are explanatory but violate the implementation-style rule for TS/TSX files.

As per coding guidelines, "Avoid code comments in the implementation".

Also applies to: 123-143, 180-183

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/client/components/MarkdownTextInner.tsx` around lines 108 - 114,
Remove all inline implementation comments from the MarkdownTextInner.tsx file to
align with the repository's coding style guidelines. Specifically, delete the
comments explaining the INTERNAL_LINK_TOKEN constant generation, the purpose of
marking internal links, and the dompurify.addHook registration at the module
level (including comments about preventing memory leaks and hook sharing across
instances). The comments appear before the INTERNAL_LINK_TOKEN declaration and
before the dompurify.addHook call, as well as in other locations noted in the
review (lines 123-143 and 180-183). Keep the actual code implementation
unchanged, removing only the explanatory comment lines.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/client/lib/getMarkdownParserLimit.ts`:
- Around line 10-16: The getMarkdownParserLimit function uses parseInt which
accepts partial numeric strings like "100abc", causing incorrect validation of
malformed meta values. Replace the parseInt call with Number() for strict
numeric conversion, and change the Number.isFinite() validation to
Number.isInteger() to properly reject non-integer and partially-numeric strings
while still handling all expected cases (positive integers, zero, negatives, and
invalid input). The return logic comparing against zero and returning Infinity
should remain unchanged.

In `@apps/meteor/client/lib/getPageMeta.ts`:
- Around line 10-11: In the catch block of the getPageMeta function, the null
return value is not being cached in MetaCache, causing repeated calls for the
same key to repeatedly hit the failing path instead of returning a cached
result. Cache the null value in MetaCache (using the same key mechanism as the
success path) before returning null from the exception handler to ensure
consistent behavior with other null outcomes.

In `@apps/meteor/client/lib/normalizeThreadMessage.spec.tsx`:
- Around line 63-66: The test case for normalizeThreadMessage has a
contradictory expectation: it creates an attachment with only a description
field (description: 'desc') but expects the function to return null. However,
normalizeThreadMessage actually returns the description content when an
attachment has a description. Update the test expectation in the it block
starting at line 63 to expect the actual return value of the description
('desc') instead of null, making the test consistent with the actual behavior of
the normalizeThreadMessage function.

In
`@apps/meteor/client/views/omnichannel/contactHistory/MessageList/ContactHistoryMessage.tsx`:
- Around line 120-123: The MessageBody component at the conditional block
wrapping MessageContentBody creates duplicate wrappers because
MessageContentBody already renders MessageBody internally. Refactor the
conditional logic so that when message.md exists, render MessageContentBody
directly without the outer MessageBody wrapper, and when message.md does not
exist, render message.msg inside MessageBody. This eliminates the nested
MessageBody wrappers for the markdown content path.

---

Nitpick comments:
In `@apps/meteor/client/components/MarkdownTextInner.tsx`:
- Around line 108-114: Remove all inline implementation comments from the
MarkdownTextInner.tsx file to align with the repository's coding style
guidelines. Specifically, delete the comments explaining the INTERNAL_LINK_TOKEN
constant generation, the purpose of marking internal links, and the
dompurify.addHook registration at the module level (including comments about
preventing memory leaks and hook sharing across instances). The comments appear
before the INTERNAL_LINK_TOKEN declaration and before the dompurify.addHook
call, as well as in other locations noted in the review (lines 123-143 and
180-183). Keep the actual code implementation unchanged, removing only the
explanatory comment lines.

In `@apps/meteor/client/lib/getMarkdownParserLimit.spec.ts`:
- Around line 40-67: The test suite for getMarkdownParserLimit is missing
coverage for edge cases with malformed numeric formats that could expose
permissive parsing behavior. Add two new test cases after the existing tests:
one that mocks getPageMetaMock.mockReturnValue with '100abc' to verify handling
of numbers with appended non-numeric characters, and another with '1e3' to
verify handling of scientific notation. Both should verify the expected behavior
of getMarkdownParserLimit() against the intended strict numeric acceptance rules
to prevent future regressions around parsing edge cases.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5da2d138-32c8-4a8a-ba98-52a3c22ccc39

📥 Commits

Reviewing files that changed from the base of the PR and between fbf3672 and bd5b857.

📒 Files selected for processing (12)

• apps/meteor/client/components/MarkdownText.spec.tsx
• apps/meteor/client/components/MarkdownText.tsx
• apps/meteor/client/components/MarkdownTextInner.tsx
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.ts
• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getPageMeta.ts
• apps/meteor/client/lib/normalizeThreadMessage.spec.tsx
• apps/meteor/client/lib/normalizeThreadMessage.tsx
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts
• apps/meteor/client/views/omnichannel/contactHistory/MessageList/ContactHistoryMessage.tsx

📜 Review details

⏰ Context from checks skipped due to timeout. (3)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check
• GitHub Check: 🔨 Test Unit / Unit Tests

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/lib/getMarkdownParserLimit.ts
• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/getPageMeta.ts
• apps/meteor/client/views/omnichannel/contactHistory/MessageList/ContactHistoryMessage.tsx
• apps/meteor/client/lib/normalizeThreadMessage.tsx
• apps/meteor/client/lib/normalizeThreadMessage.spec.tsx
• apps/meteor/client/components/MarkdownText.spec.tsx
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts
• apps/meteor/client/components/MarkdownTextInner.tsx
• apps/meteor/client/components/MarkdownText.tsx

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts

🧠 Learnings (8)

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

• apps/meteor/client/lib/getMarkdownParserLimit.ts
• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/getPageMeta.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts

📚 Learning: 2026-05-11T20:30:35.265Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:35.265Z
Learning: In Rocket.Chat’s Meteor client code, when calling `dispatchToastMessage` with `{ type: 'error' }`, pass the raw caught error object as `message` without manual normalization. `dispatchToastMessage` is designed to accept `message: unknown` for error toasts, so avoid converting errors to strings (e.g., `String(error)`) or extracting `error.message` before passing them.

Applied to files:

• apps/meteor/client/lib/getMarkdownParserLimit.ts
• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/getPageMeta.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/client/lib/getMarkdownParserLimit.ts
• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/getPageMeta.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/client/lib/getMarkdownParserLimit.ts
• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/getPageMeta.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/client/lib/getMarkdownParserLimit.ts
• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/getPageMeta.ts
• apps/meteor/client/views/omnichannel/contactHistory/MessageList/ContactHistoryMessage.tsx
• apps/meteor/client/lib/normalizeThreadMessage.tsx
• apps/meteor/client/lib/normalizeThreadMessage.spec.tsx
• apps/meteor/client/components/MarkdownText.spec.tsx
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts
• apps/meteor/client/components/MarkdownTextInner.tsx
• apps/meteor/client/components/MarkdownText.tsx

📚 Learning: 2026-02-24T19:22:48.358Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/omnichannel/omnichannel-send-pdf-transcript.spec.ts:66-67
Timestamp: 2026-02-24T19:22:48.358Z
Learning: In Playwright end-to-end tests (e.g., under apps/meteor/tests/e2e/...), prefer locating elements by translated text (getByText) and ARIA roles (getByRole) over data-qa attributes. If translation values change, update the corresponding test locators accordingly. Never use data-qa locators. This guideline applies to all Playwright e2e test specs in the repository and helps keep tests robust to UI text changes and accessible semantics.

Applied to files:

• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts

📚 Learning: 2026-03-06T18:10:15.268Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.

Applied to files:

• apps/meteor/client/lib/getPageMeta.spec.ts
• apps/meteor/client/lib/getMarkdownParserLimit.spec.ts
• apps/meteor/client/lib/normalizeThreadMessage.spec.tsx
• apps/meteor/client/components/MarkdownText.spec.tsx
• apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts

📚 Learning: 2026-03-27T14:52:56.865Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.

Applied to files:

• apps/meteor/client/views/omnichannel/contactHistory/MessageList/ContactHistoryMessage.tsx
• apps/meteor/client/lib/normalizeThreadMessage.tsx
• apps/meteor/client/lib/normalizeThreadMessage.spec.tsx
• apps/meteor/client/components/MarkdownText.spec.tsx
• apps/meteor/client/components/MarkdownTextInner.tsx
• apps/meteor/client/components/MarkdownText.tsx

🪛 ast-grep (0.44.0)

apps/meteor/client/lib/getPageMeta.spec.ts

[warning] 4-4: Direct modification of innerHTML or outerHTML properties detected. Modifying these properties with unsanitized user input can lead to XSS vulnerabilities. Use safe alternatives or sanitize content first.
Context: document.head.innerHTML = ''
Note: [CWE-79] Improper Neutralization of Input During Web Page Generation

(dom-content-modification)

apps/meteor/client/components/MarkdownTextInner.tsx

[warning] 203-203: Usage of dangerouslySetInnerHTML detected. This bypasses React's built-in XSS protection. Always sanitize HTML content using libraries like DOMPurify before injecting it into the DOM to prevent XSS attacks.
Context: dangerouslySetInnerHTML
Note: [CWE-79] Improper Neutralization of Input During Web Page Generation

(react-unsafe-html-injection)

🔇 Additional comments (7)

apps/meteor/client/lib/getPageMeta.spec.ts (1)

3-38: LGTM!

apps/meteor/client/components/MarkdownText.tsx (1)

4-7: LGTM!

Also applies to: 19-36

apps/meteor/client/components/MarkdownText.spec.tsx (1)

7-11: LGTM!

Also applies to: 507-551

apps/meteor/client/lib/parseMessageTextToAstMarkdown.ts (1)

13-13: LGTM!

Also applies to: 133-135

apps/meteor/client/lib/parseMessageTextToAstMarkdown.spec.ts (1)

4-10: LGTM!

Also applies to: 557-640

apps/meteor/client/lib/normalizeThreadMessage.tsx (1)

4-23: LGTM!

Also applies to: 24-28

apps/meteor/client/lib/normalizeThreadMessage.spec.tsx (1)

1-62: LGTM!

Also applies to: 68-76

[cubic-dev-ai]

3 issues found across 12 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/client/lib/normalizeThreadMessage.spec.tsx">

<violation number="1" location="apps/meteor/client/lib/normalizeThreadMessage.spec.tsx:64">
P1: Test assertion is wrong: `normalizeThreadMessage` returns `<>desc</>` (a React element) for an attachment with `description: 'desc'`, but the test expects `null`. The implementation prioritizes `description` over `title` in attachment rendering, so this input never produces null.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>