quikchat 1.2.6 → 1.2.7

package/README.md

@@ -4,7 +4,11 @@
 
 # QuikChat
 
-A lightweight, zero-dependency vanilla JavaScript chat widget. Drop it into any page — no React, no Vue, no build step required — and connect it to any LLM, WebSocket, or message source with plain `fetch()`.
+A lightweight, zero-dependency JavaScript chat widget, with history save/restore, multiple instance support, and several other goodies. Works with any framework — React, Vue, Svelte, Angular, Solid — or none at all. Connect it to any LLM, WebSocket, or message source with plain `fetch()`.  
+
+[Live Demo & Documentation](https://deftio.github.io/quikchat/site/)
+
+[![QuikChat screenshot](site/quikchat-screenshot.png)](https://deftio.github.io/quikchat/site/)
 
 ```html
 <script src="https://unpkg.com/quikchat"></script>
@@ -191,12 +195,13 @@ Style messages by role with CSS hooks: `.quikchat-role-user`, `.quikchat-role-as
 | [LLM Integration](docs/llm-integration.md) | Ollama, OpenAI, LM Studio, tool calls, conversational memory |
 | [Theming](docs/theming.md) | Custom themes, CSS architecture, built-in themes |
 | [CSS Architecture](docs/css-architecture.md) | Base vs theme separation, ARIA accessibility |
+| [Recipes](docs/recipes.md) | Common patterns: log viewer, tool-call visibility, session persistence, RTL |
 
 ## Demo & Examples
 
 [Live Demo](https://deftio.github.io/quikchat/site/) | [Examples](https://deftio.github.io/quikchat/examples/)
 
-Examples include: basic UMD/ESM usage, theme switching, dual chatrooms, markdown rendering ([basic](./examples/example_markdown.html) and [full with syntax highlighting + math + diagrams](./examples/example_md_full.html)), streaming with Ollama/OpenAI/LM Studio, and React integration.
+Examples include: basic UMD/ESM usage, dual chatrooms, markdown rendering ([basic](./examples/example_markdown.html) and [full with syntax highlighting + math + diagrams](./examples/example_md_full.html)), LLM integrations (Ollama, OpenAI, LM Studio), [LLM tool-calling editor](./examples/example_tool_editor.html), tool-call visibility, session save/restore, RTL/i18n, log viewer, event timeline, framework integration (React, Vue, Solid, Svelte, Angular), and backend examples ([FastAPI](./examples/fastapi_llm/), [Express](./examples/npm_express/)).
 
 ## Build Variants
 

package/dist/build-manifest.json

@@ -1,6 +1,6 @@
 {
-  "version": "1.2.6",
-  "generated": "2026-04-20T04:05:17.743Z",
+  "version": "1.2.7",
+  "generated": "2026-05-04T04:21:07.564Z",
   "builds": [
     {
       "id": "base",
@@ -12,37 +12,37 @@
           "format": "UMD",
           "raw": "quikchat.umd.js",
           "min": "quikchat.umd.min.js",
-          "rawBytes": 33115,
-          "minBytes": 17417,
-          "gzipBytes": 4846,
+          "rawBytes": 33119,
+          "minBytes": 17421,
+          "gzipBytes": 4849,
           "rawSize": "32.34 KB",
           "minSize": "17.01 KB",
-          "gzipSize": "4.73 KB",
-          "sri": "sha384-NamQg4QPdOymZnlXQwkHrSrNMn014Ko+xOK1V/Q2/fKkqUgGd03BV5hIwP/sbv8f"
+          "gzipSize": "4.74 KB",
+          "sri": "sha384-HLvGJigsP5xa9TFN6KOihPuozxJlq36dC16VsNMBpVGiwLs75d+2/LEmqzJX58y8"
         },
         {
           "format": "CJS",
           "raw": "quikchat.cjs.js",
           "min": "quikchat.cjs.min.js",
-          "rawBytes": 31003,
-          "minBytes": 17202,
-          "gzipBytes": 4778,
+          "rawBytes": 31007,
+          "minBytes": 17206,
+          "gzipBytes": 4781,
           "rawSize": "30.28 KB",
           "minSize": "16.80 KB",
           "gzipSize": "4.67 KB",
-          "sri": "sha384-OrMbUwcaTwt6JOnMJt1nt5wKy4kzsGvKMh3Vj5eucEYuIXNTGTfy5E0fLvVGn+Ps"
+          "sri": "sha384-nHUMygH/rx+lxSW7F1l0fLp3FPfN/YdNiJj/qMkcqvIDHFuuegIubKpuiHCQqN3g"
         },
         {
           "format": "ESM",
           "raw": "quikchat.esm.js",
           "min": "quikchat.esm.min.js",
-          "rawBytes": 30993,
-          "minBytes": 17193,
-          "gzipBytes": 4773,
+          "rawBytes": 30997,
+          "minBytes": 17197,
+          "gzipBytes": 4776,
           "rawSize": "30.27 KB",
           "minSize": "16.79 KB",
           "gzipSize": "4.66 KB",
-          "sri": "sha384-K7KBg+8DlqPyiWBAjYIX29oIHyAAB2T4F8LZzuQrVNJM1pcwN/pbsbpixqtn1wdk"
+          "sri": "sha384-itfed90vasC8MaRc5SqS992oym6NQnXmvbX3q4F0fvGH96ZBwRLSD2PV+AgG7gEW"
         },
         {
           "format": "CSS",
@@ -68,37 +68,37 @@
           "format": "UMD",
           "raw": "quikchat-md.umd.js",
           "min": "quikchat-md.umd.min.js",
-          "rawBytes": 80811,
-          "minBytes": 28568,
-          "gzipBytes": 8893,
-          "rawSize": "78.92 KB",
-          "minSize": "27.90 KB",
-          "gzipSize": "8.68 KB",
-          "sri": "sha384-VXGanV4Cb7faAB8zU43gnMHchw5Rq3cILG0ZclhR9Lm2TK5wgiyyElpiiWH6HSB5"
+          "rawBytes": 85353,
+          "minBytes": 29563,
+          "gzipBytes": 9303,
+          "rawSize": "83.35 KB",
+          "minSize": "28.87 KB",
+          "gzipSize": "9.08 KB",
+          "sri": "sha384-NyEFBtozHVJl7dPUvuCpBlwEGC34Qc0yosXjeVckvXdWf11s3szHrmUqVB1p5ELQ"
         },
         {
           "format": "CJS",
           "raw": "quikchat-md.cjs.js",
           "min": "quikchat-md.cjs.min.js",
-          "rawBytes": 76919,
-          "minBytes": 28341,
-          "gzipBytes": 8823,
-          "rawSize": "75.12 KB",
-          "minSize": "27.68 KB",
-          "gzipSize": "8.62 KB",
-          "sri": "sha384-dxRHv50bbpwwAPKSDotvgeP7Qu6sImUGordj7IpEfxBhrtMW2/RxwSybatN5RNe0"
+          "rawBytes": 81293,
+          "minBytes": 29336,
+          "gzipBytes": 9233,
+          "rawSize": "79.39 KB",
+          "minSize": "28.65 KB",
+          "gzipSize": "9.02 KB",
+          "sri": "sha384-4inUk0zLpAEt509RM9wrO6pcfu6/3GLBJRWPW/3TBcyq62FRGRi6oh9KT1FEM4O/"
         },
         {
           "format": "ESM",
           "raw": "quikchat-md.esm.js",
           "min": "quikchat-md.esm.min.js",
-          "rawBytes": 76909,
-          "minBytes": 28332,
-          "gzipBytes": 8825,
-          "rawSize": "75.11 KB",
-          "minSize": "27.67 KB",
-          "gzipSize": "8.62 KB",
-          "sri": "sha384-s8ZB9Irx2RS2UNJRYg9l2t0P8cM2BujXLQwb7DDyRW6LjtdhdAxsKu4Fs4utKf4x"
+          "rawBytes": 81283,
+          "minBytes": 29327,
+          "gzipBytes": 9234,
+          "rawSize": "79.38 KB",
+          "minSize": "28.64 KB",
+          "gzipSize": "9.02 KB",
+          "sri": "sha384-NU2rka4yCQspxc8DELK8bjof9XXD6DAglIDaPFVpi2NEENNbhPcGoPK5BNvVdivN"
         }
       ]
     },
@@ -112,37 +112,37 @@
           "format": "UMD",
           "raw": "quikchat-md-full.umd.js",
           "min": "quikchat-md-full.umd.min.js",
-          "rawBytes": 125241,
-          "minBytes": 45132,
-          "gzipBytes": 14280,
-          "rawSize": "122.31 KB",
-          "minSize": "44.07 KB",
-          "gzipSize": "13.95 KB",
-          "sri": "sha384-2dRmdOJzLKWhFxyzFbctBDovq1kZgaPBnMj1g8O6An/mLqi3UrITvGRD89Cpaonb"
+          "rawBytes": 129783,
+          "minBytes": 46127,
+          "gzipBytes": 14672,
+          "rawSize": "126.74 KB",
+          "minSize": "45.05 KB",
+          "gzipSize": "14.33 KB",
+          "sri": "sha384-Lk+2rwvAXBi6oQHtO2UFzs8uD6lIsAVwZV310qBWpiGIaf2F1Obe/RKnMVn3LGbm"
         },
         {
           "format": "CJS",
           "raw": "quikchat-md-full.cjs.js",
           "min": "quikchat-md-full.cjs.min.js",
-          "rawBytes": 119165,
-          "minBytes": 44905,
-          "gzipBytes": 14214,
-          "rawSize": "116.37 KB",
-          "minSize": "43.85 KB",
-          "gzipSize": "13.88 KB",
-          "sri": "sha384-D+XD9IV6jDdcO/WlNVabQ5rlpPgmkNcQSnZV4o86/8SieJ2LfDF/sBrsFVRJJh5j"
+          "rawBytes": 123539,
+          "minBytes": 45900,
+          "gzipBytes": 14604,
+          "rawSize": "120.64 KB",
+          "minSize": "44.82 KB",
+          "gzipSize": "14.26 KB",
+          "sri": "sha384-Z+2mOTSAZf3Dg92C2ltm1MgXLbyqkcy8WuXOBWbrOp4eRLXhvXAHM4683byCzCCY"
         },
         {
           "format": "ESM",
           "raw": "quikchat-md-full.esm.js",
           "min": "quikchat-md-full.esm.min.js",
-          "rawBytes": 119155,
-          "minBytes": 44896,
-          "gzipBytes": 14212,
-          "rawSize": "116.36 KB",
-          "minSize": "43.84 KB",
-          "gzipSize": "13.88 KB",
-          "sri": "sha384-xlOEkcgiZiWTurpVc5nV4cz2y0W4pQmY9gAOR9to1+vWtezxQ7UGnP1eyO1X7U9w"
+          "rawBytes": 123529,
+          "minBytes": 45891,
+          "gzipBytes": 14602,
+          "rawSize": "120.63 KB",
+          "minSize": "44.82 KB",
+          "gzipSize": "14.26 KB",
+          "sri": "sha384-eqUE3H5exC1kVl2LwErt1dlpdvzzh6vKLlgANUrmecfjEKwFvFrnis6AMUlB/RVa"
         }
       ]
     }

package/dist/quikchat-md-full.cjs.js

@@ -1064,9 +1064,9 @@ var quikchat = /*#__PURE__*/function () {
     key: "version",
     value: function version() {
       return {
-        "version": "1.2.6",
+        "version": "1.2.7",
         "license": "BSD-2",
-        "url": "https://github/deftio/quikchat"
+        "url": "https://github.com/deftio/quikchat"
       };
     }
 
@@ -1124,7 +1124,7 @@ var quikchat = /*#__PURE__*/function () {
 
 /**
  * quikdown_bd - Bidirectional Markdown Parser
- * @version 1.2.10
+ * @version 1.2.12
  * @license BSD-2-Clause
  * @copyright DeftIO 2025
  */
@@ -1236,7 +1236,7 @@ function isDashHRLine(trimmed) {
 // ────────────────────────────────────────────────────────────────────
 
 /** Build-time version stamp (injected by tools/updateVersion) */
-const quikdownVersion = '1.2.10';
+const quikdownVersion = '1.2.12';
 
 /** CSS class prefix used for all generated elements */
 const CLASS_PREFIX = 'quikdown-';
@@ -1244,6 +1244,10 @@ const CLASS_PREFIX = 'quikdown-';
 /** Placeholder sigils — chosen to be extremely unlikely in real text */
 const PLACEHOLDER_CB = '§CB';   // fenced code blocks
 const PLACEHOLDER_IC = '§IC';   // inline code spans
+const PLACEHOLDER_HT = '§HT';  // safe HTML tags (limited mode)
+
+/** Attributes whose values need URL sanitization */
+const URL_ATTRIBUTES = { href:1, src:1, action:1, formaction:1 };
 
 /** HTML entity escape map */
 const ESC_MAP = {'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'};
@@ -1378,6 +1382,46 @@ function quikdown(markdown, options = {}) {
         return trimmedUrl;
     }
 
+    /**
+     * Sanitize attributes on an HTML tag string for limited mode.
+     * Strips on* event handlers (case-insensitive) and runs sanitizeUrl()
+     * on href/src/action/formaction values.
+     */
+    function sanitizeHtmlTagAttrs(tagStr) {
+        // Self-closing or void tag without attributes — pass through
+        if (!/\s/.test(tagStr.replace(/<\/?[a-zA-Z][a-zA-Z0-9]*/, '').replace(/\/?>$/, ''))) {
+            return tagStr;
+        }
+        // Parse: <tagname ...attrs... > or <tagname ...attrs... />
+        const m = tagStr.match(/^(<\/?[a-zA-Z][a-zA-Z0-9]*)([\s\S]*?)(\/?>)$/);
+        /* istanbul ignore next - defensive: Phase 1.5 regex guarantees valid tag shape */
+        if (!m) return tagStr;
+
+        const [, open, attrStr, close] = m;
+        // Match individual attributes: name="value", name='value', name=value, or bare name
+        // eslint-disable-next-line security/detect-unsafe-regex -- linear: no nested quantifiers
+        const attrRe = /([a-zA-Z_][\w\-.:]*)(?:\s*=\s*(?:"([^"]*)"|'([^']*)'|(\S+)))?/g;
+        const attrs = [];
+        let am;
+        while ((am = attrRe.exec(attrStr)) !== null) {
+            const name = am[1];
+            const value = am[2] !== undefined ? am[2] : am[3] !== undefined ? am[3] : am[4];
+            // Strip event handlers (on*)
+            if (/^on/i.test(name)) continue;
+            if (value === undefined) {
+                // Boolean attribute (e.g. disabled, checked)
+                attrs.push(name);
+            } else {
+                let sanitized = value;
+                if (name.toLowerCase() in URL_ATTRIBUTES) {
+                    sanitized = sanitizeUrl(value);
+                }
+                attrs.push(`${name}="${sanitized}"`);
+            }
+        }
+        return open + (attrs.length ? ' ' + attrs.join(' ') : '') + close;
+    }
+
     // ────────────────────────────────────────────────────────────────
     //  Phase 1 — Code Extraction
     // ────────────────────────────────────────────────────────────────
@@ -1429,17 +1473,57 @@ function quikdown(markdown, options = {}) {
         return placeholder;
     });
 
+    // ────────────────────────────────────────────────────────────────
+    //  Phase 1.5 — Safe HTML Extraction (whitelist mode)
+    // ────────────────────────────────────────────────────────────────
+    // When allow_unsafe_html is an object or array, extract whitelisted
+    // HTML tags, sanitize their attributes, and replace with placeholders.
+    // Non-whitelisted tags stay in text so Phase 2 will escape them.
+
+    const safeTags = [];
+    // Normalize: array → object for O(1) lookup; object used as-is
+    const htmlAllow = Array.isArray(allow_unsafe_html)
+        ? Object.fromEntries(allow_unsafe_html.map(t => [t, 1]))
+        : (allow_unsafe_html && typeof allow_unsafe_html === 'object') ? allow_unsafe_html : null;
+
+    if (htmlAllow) {
+        // Pass through HTML comments — browsers render them as nothing
+        html = html.replace(/<!--[\s\S]*?-->/g, (match) => {
+            const idx = safeTags.length;
+            safeTags.push(match);
+            return `${PLACEHOLDER_HT}${idx}§`;
+        });
+        html = html.replace(/<\/?([a-zA-Z][a-zA-Z0-9]*)\b[^>]*\/?>/g, (match, tagName) => {
+            if (tagName.toLowerCase() in htmlAllow) {
+                const sanitized = sanitizeHtmlTagAttrs(match);
+                const idx = safeTags.length;
+                safeTags.push(sanitized);
+                return `${PLACEHOLDER_HT}${idx}§`;
+            }
+            // Not whitelisted — leave in text for Phase 2 to escape
+            return match;
+        });
+    }
+
     // ────────────────────────────────────────────────────────────────
     //  Phase 2 — HTML Escaping
     // ────────────────────────────────────────────────────────────────
     // All remaining text (everything except code placeholders) is escaped
     // to prevent XSS.  The `allow_unsafe_html` option skips this for
     // trusted pipelines that intentionally embed raw HTML.
+    // For whitelist mode, escaping still runs (only `true` bypasses it).
 
-    if (!allow_unsafe_html) {
+    if (allow_unsafe_html !== true) {
         html = escapeHtml(html);
     }
 
+    // Restore safe HTML tag placeholders after escaping
+    if (htmlAllow) {
+        safeTags.forEach((tag, i) => {
+            html = html.replace(`${PLACEHOLDER_HT}${i}§`, tag);
+        });
+    }
+
     // ────────────────────────────────────────────────────────────────
     //  Phase 3 — Block Scanning + Inline Formatting + Paragraphs
     // ────────────────────────────────────────────────────────────────
@@ -1681,6 +1765,14 @@ function scanLineBlocks(text, getAttr, dataQd) {
     while (i < lines.length) {
         const line = lines[i];
 
+        // ── Markdown comment (reference-link hack) ──
+        // [//]: # (comment)  or  [//]: # "comment"  or  [//]: #
+        // These produce no output — standard markdown comment convention.
+        if (/^\[\/\/\]: #/.test(line)) {
+            i++;
+            continue;
+        }
+
         // ── Heading ──
         // Count leading '#' characters.  Valid heading: 1-6 hashes then a space.
         // Example: "## Hello World ##" → <h2>Hello World</h2>
@@ -2045,6 +2137,7 @@ quikdown.configure = function(options) {
 /** Semantic version (injected at build time) */
 quikdown.version = quikdownVersion;
 
+
 // ════════════════════════════════════════════════════════════════════
 //  Exports
 // ════════════════════════════════════════════════════════════════════