feat(chat): favicon external links with secure link-preview tooltips#5734
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview A contract-backed Table URL cells now use the same Reviewed by Cursor Bugbot for commit 93eb14e. Configure here. |
Greptile SummaryThis PR adds secure link previews and favicon styling for external links in chat. The main changes are:
Confidence Score: 5/5The updated code appears safe to merge.
Important Files Changed
Reviews (6): Last reviewed commit: "improvement(chat): render mailto links a..." | Re-trigger Greptile |
- allow http fetches to match advertised http(s) link support - fix meta content regex to handle apostrophes and either quote delimiter - hash Redis cache keys so sensitive URLs are not stored verbatim - add per-user rate limit to the outbound-fetching route - render siteName-only previews instead of falling back to the URL
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit bde6f31. Configure here.
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 242ad88. Configure here.
…, cleanup pass - fetch previews when links render (emcn tooltip shows instantly — hover prefetch had no delay to race); tooltip reads the warmed cache, eliminating the URL-then-preview flash - parse OG metadata with cheerio (already used server-side) instead of hand-rolled regexes + entity decoding, fixing double-decode and quote-handling classes - drop the no-longer-needed prefetch hook; remove dead side prop on Tooltip.Content - extract ExternalLink to a sibling module per component-size guidelines; fix TSDoc placement
|
@cursor review |
- drop allowHttp: plain-http fetches would reach the URL validator's self-host loopback exception; previews are now explicitly https-only on both server (early null) and client (query never fires for http) - parse the full capped document instead of truncating at the first <body> substring, which could match inside head scripts/comments and drop metadata
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 3eadb90. Configure here.
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 93eb14e. Configure here.
Summary
--text-mutedthat darkens to--text-primaryon hover — replaces the harsh dashed underline; mailto/anchor/relative links keep the old treatmentGET /api/link-previewroute: session-gated, fetches through the existing SSRF toolkit (secureFetchWithValidation— DNS-pinned, private-IP blocked) with 5s timeout, 3-redirect cap, 256KB response cap, head-only OG parsing, and Redis caching (24h positive / 1h negative); any failure returns a null preview and the tooltip falls back to the URLuseLinkPreviewReact Query hookfaviconUrl()helper, now used by both chat and the tables URL cell (previously inline there)Type of Change
Testing
Tested manually against the running app (favicon alignment across 10 sites, preview tooltips, 401 unauthenticated, bot-blocked-site fallback)
Checklist