Copilot commented on code in PR #160:
URL: https://github.com/apache/echarts-handbook/pull/160#discussion_r2875670829
##########
contents/en/best-practices/security.md:
##########
@@ -24,7 +24,8 @@ Before deploying charts, please review this **checklist** to
ensure your usage i
| **option [tooltip.formatter](${optionPath}tooltip.formatter)**<br>·
`formatter` allows HTML string or DOM elements input, which are later rendered
directly inside the tooltip, where XSS risks need to be
considered.<br>(exceptions): A string directly set to the `formatter` is
treated as a simple template for later combining with data internally.
[tooltip.renderMode: 'richText'](${optionPath}tooltip.renderMode) is another
level of templating syntax for styling. Both of them are internally implemented
and safe from injection.<br><br>**option
[toolbox.feature.dataView.optionToContent](${optionPath}toolbox.feature.dataView.optionToContent)**<br>**option
[toolbox.feature.dataView.title](${optionPath}toolbox.feature.dataView.title)**<br>**option
[toolbox.feature.dataView.lang](${optionPath}toolbox.feature.dataView.lang)**<br>·
The `tooltip.dataView` panel is fully rendered in HTML. Certain parts of the
HTML string are allowed to be customized via these APIs. | XSS risks should be
consi
dered. In most cases, HTML escaping alone is sufficient. But if any unescaped
parts originate from untrusted sources, more measures are required (e.g.,
sanitization, sandboxing).<br><br>See section ["Passing Raw HTML
Safely"](${lang}/best-practices/security#passing_raw_html_safely) for safe
usage recommendations. |
| **option [tooltip.extraCssText](${optionPath}tooltip.extraCssText)**<br>·
`extraCssText` accepts a raw CSS style string for later directly appending to
`tooltipEl.style.cssText`(via the DOM API).<br>(exceptions): this option is not
applicable when [tooltip.renderMode:
'richText'](${optionPath}tooltip.renderMode).<br> | Safe if the input comes
from trusted sources; otherwise, a careful assessment is required.<br><br>See
section ["Passing inline CSS
Safely"](${lang}/best-practices/security#passing_inline_css_safely) for
details. |
| **option [title.link](${optionPath}title.link)**<br>**option
[title.sublink](${optionPath}title.sublink)**<br>**option
[series-treemap.data.link](${optionPath}series-treemap.data.link)**<br>**option
[series-sunburst.data.link](${optionPath}series-sunburst.data.link)**<br>· They
accept raw URLs directly for these links. | Safe if the input comes from
trusted sources; otherwise, XSS risks should be considered.<br><br>See section
["Passing Raw URLs
Safely"](${lang}/best-practices/security#passing_raw_urls_safely) for safe
usage recommendations.
Review Comment:
表格中这一行末尾缺少结尾的 `|`,与同一表格其他行的格式不一致,可能影响 Markdown 表格渲染或后续维护;建议补齐结尾分隔符。
```suggestion
| **option [title.link](${optionPath}title.link)**<br>**option
[title.sublink](${optionPath}title.sublink)**<br>**option
[series-treemap.data.link](${optionPath}series-treemap.data.link)**<br>**option
[series-sunburst.data.link](${optionPath}series-sunburst.data.link)**<br>· They
accept raw URLs directly for these links. | Safe if the input comes from
trusted sources; otherwise, XSS risks should be considered.<br><br>See section
["Passing Raw URLs
Safely"](${lang}/best-practices/security#passing_raw_urls_safely) for safe
usage recommendations. |
```
##########
contents/zh/best-practices/security.md:
##########
@@ -26,6 +26,7 @@ ECharts 通过 Canvas 或 SVG 渲染,只有几个特殊组件例外,允许 H
| **option [tooltip.extraCssText](${optionPath}tooltip.extraCssText)**<br>·
`extraCssText` 接受一个原始 CSS style 字符串,并接下来直接拼接进
`tooltipEl.style.cssText`。<br>(例外):[tooltip.renderMode:
'richText'](${optionPath}tooltip.renderMode) 时此 `extraCssText` 无效。 |
若输入来自可信来源,则一般无安全问题,否则需要仔细评估风险。<br><br>详细描述见 [“传入内联 CSS
时的安全考虑”](${lang}/best-practices/security#passing_inline_css_safely)。 |
| **option [title.link](${optionPath}title.link)**<br>**option
[title.sublink](${optionPath}title.sublink)**<br>**option
[series-treemap.data.link](${optionPath}series-treemap.data.link)**<br>**option
[series-sunburst.data.link](${optionPath}series-sunburst.data.link)**<br>· 这些
option 直接接受原始 URL 字符串。 | 若若输入来自可信来源,则一般无安全问题,否则须要考虑 XSS 风险。<br><br>详细描述见 ["传入
URL 时的安全考虑"](${lang}/best-practices/security#passing_raw_urls_safely)。 |
Review Comment:
表格这一行里出现了重复用词“若若输入来自可信来源”,应为“若输入来自可信来源”。
```suggestion
| **option [title.link](${optionPath}title.link)**<br>**option
[title.sublink](${optionPath}title.sublink)**<br>**option
[series-treemap.data.link](${optionPath}series-treemap.data.link)**<br>**option
[series-sunburst.data.link](${optionPath}series-sunburst.data.link)**<br>· 这些
option 直接接受原始 URL 字符串。 | 若输入来自可信来源,则一般无安全问题,否则须要考虑 XSS 风险。<br><br>详细描述见 ["传入
URL 时的安全考虑"](${lang}/best-practices/security#passing_raw_urls_safely)。 |
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
