feat(annotations): adds support for inline markdown! (#126)

Author: HugoFara

CHANGELOG.md

@@ -13,6 +13,13 @@ ones are marked like "v1.0.0-fork".
   Added a dedicated "Notes" field to terms/words, allowing users to add personal
   notes separate from translations. Includes database migration, updated entity
   classes, service layer, UI forms, and API endpoints.
+* **Inline Markdown for Translations and Notes** ([#126](https://github.com/HugoFara/lwt/issues/126)):
+  Translations and notes now support inline Markdown formatting: `**bold**`,
+  `*italic*`, `~~strikethrough~~`, and `[links](url)`. Markdown is rendered in
+  the word modal, annotations (translations shown above/below words), word list,
+  test screens, and word detail views. Implemented with custom lightweight parsers
+  in both TypeScript and PHP with XSS protection (HTML escaped before parsing,
+  URLs sanitized to block javascript: schemes).
 * Official support for PHP 8.3 and 8.4.
 * **Multi-user support** ([#221](https://github.com/HugoFara/lwt/issues/221)):
   Users are now stored in a dedicated `users` table with proper foreign key

src/backend/Core/StringUtils.php

@@ -309,4 +309,58 @@ public static function replaceFirst(string $needle, string $replace, string $hay
         }
         return $haystack;
     }
+
+    /**
+     * Parse inline Markdown to HTML.
+     *
+     * Supports: **bold**, *italic*, [links](url), ~~strikethrough~~
+     *
+     * Security:
+     * - HTML is escaped before parsing (XSS prevention)
+     * - Only http/https/relative URLs allowed in links
+     * - Generated tags: <strong>, <em>, <del>, <a>
+     *
+     * @param string $text Input text with Markdown
+     *
+     * @return string HTML string
+     */
+    public static function parseInlineMarkdown(string $text): string
+    {
+        if (empty($text)) {
+            return '';
+        }
+
+        // Step 1: Escape HTML first (security)
+        $result = htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
+
+        // Step 2: Links [text](url) - sanitize URLs
+        $result = preg_replace_callback(
+            '/\[([^\]]+)\]\(([^)]+)\)/',
+            function (array $matches): string {
+                $linkText = $matches[1];
+                $url = trim($matches[2]);
+
+                // Only allow http, https, and relative URLs
+                if (preg_match('#^(https?://|/|\./|\.\./.)#i', $url)) {
+                    $safeUrl = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
+                    return '<a href="' . $safeUrl . '" target="_blank" rel="noopener noreferrer">' . $linkText . '</a>';
+                }
+
+                // Block dangerous protocols (javascript:, data:, etc.)
+                return $linkText;
+            },
+            $result
+        );
+
+        // Step 3: Bold **text**
+        $result = preg_replace('/\*\*([^*]+)\*\*/', '<strong>$1</strong>', $result);
+
+        // Step 4: Italic *text* (not preceded/followed by asterisk)
+        $result = preg_replace('/(?<!\*)\*([^*]+)\*(?!\*)/', '<em>$1</em>', $result);
+
+        // Step 5: Strikethrough ~~text~~
+        $result = preg_replace('/~~([^~]+)~~/', '<del>$1</del>', $result);
+
+        return $result;
+    }
 }

src/backend/Views/Test/table_test_row.php

@@ -20,6 +20,7 @@
 
 namespace Lwt\Views\Test;
 
+use Lwt\Core\StringUtils;
 use Lwt\Services\ExportService;
 use Lwt\View\Helper\StatusHelper;
 use Lwt\View\Helper\IconHelper;
@@ -64,7 +65,7 @@
     </td>
     <td class="td1 center">
         <span id="TRAN<?php echo $word['WoID']; ?>">
-            <?php echo \htmlspecialchars($word['WoTranslation'] ?? '', ENT_QUOTES, 'UTF-8'); ?>
+            <?php echo StringUtils::parseInlineMarkdown($word['WoTranslation'] ?? ''); ?>
         </span>
     </td>
     <td class="td1 center">

src/backend/Views/Text/read_desktop.php

@@ -170,10 +170,7 @@ class="content"
 .status99 { border-bottom: solid 2px #CCFFCC; } /* Well-known */
 
 /* Hide translations class */
-.hide-translations .wsty[data_trans]::after,
-.hide-translations .wsty[data_trans]::before,
-.hide-translations .mwsty[data_trans]::after,
-.hide-translations .mwsty[data_trans]::before {
+.hide-translations .word-ann {
   display: none !important;
 }
 

src/backend/Views/Text/word_modal.php

@@ -48,13 +48,21 @@
             <!-- Translation/Romanization for known words -->
             <template x-if="!isUnknown && word.translation">
               <div class="mb-3">
-                <p class="has-text-grey-dark" x-text="word.translation"></p>
+                <p class="has-text-grey-dark" x-html="$markdown(word.translation)"></p>
                 <template x-if="word.romanization">
                   <p class="is-size-7 has-text-grey" x-text="word.romanization"></p>
                 </template>
               </div>
             </template>
 
+            <!-- Notes for known words -->
+            <template x-if="!isUnknown && word.notes">
+              <div class="mb-3">
+                <p class="is-size-7 has-text-grey mb-1">Notes:</p>
+                <p class="has-text-grey-dark is-size-7" x-html="$markdown(word.notes)"></p>
+              </div>
+            </template>
+
             <!-- Tags if present -->
             <template x-if="!isUnknown && word.tags">
               <div class="mb-3">

src/backend/Views/Word/list_alpine.php

@@ -401,7 +401,7 @@ class="markcheck"
                             <template x-if="!isEditing(word.id, 'translation')">
                                 <span class="clickedit"
                                       @click="startEdit(word.id, 'translation')"
-                                      x-text="getDisplayValue(word, 'translation')"></span>
+                                      x-html="$markdown(getDisplayValue(word, 'translation'))"></span>
                             </template>
                             <span x-show="word.tags" class="has-text-grey is-size-7 ml-1" x-text="word.tags"></span>
                         </td>
@@ -493,7 +493,7 @@ class="markcheck"
                             </span>
                         </template>
                         <template x-if="!isEditing(word.id, 'translation')">
-                            <span class="clickedit" @click="startEdit(word.id, 'translation')" x-text="getDisplayValue(word, 'translation')"></span>
+                            <span class="clickedit" @click="startEdit(word.id, 'translation')" x-html="$markdown(getDisplayValue(word, 'translation'))"></span>
                         </template>
                     </p>
 

src/backend/Views/Word/show.php

@@ -31,17 +31,25 @@
 <tr>
     <td class="td1 right">Translation:</td>
     <td class="td1 word-show-value"><b><?php
+    $translationHtml = StringUtils::parseInlineMarkdown($word['translation'] ?? '');
     if (!empty($ann)) {
+        // Highlight annotation in the rendered HTML
         echo StringUtils::replaceFirst(
-            htmlspecialchars($ann ?? '', ENT_QUOTES, 'UTF-8'),
-            '<span class="word-show-highlight">' . htmlspecialchars($ann ?? '', ENT_QUOTES, 'UTF-8') . '</span>',
-            htmlspecialchars($word['translation'] ?? '', ENT_QUOTES, 'UTF-8')
+            htmlspecialchars($ann, ENT_QUOTES, 'UTF-8'),
+            '<span class="word-show-highlight">' . htmlspecialchars($ann, ENT_QUOTES, 'UTF-8') . '</span>',
+            $translationHtml
         );
     } else {
-        echo htmlspecialchars($word['translation'] ?? '', ENT_QUOTES, 'UTF-8');
+        echo $translationHtml;
     }
     ?></b></td>
 </tr>
+<?php if (!empty($word['notes'])) : ?>
+<tr>
+    <td class="td1 right">Notes:</td>
+    <td class="td1 word-show-value"><?php echo StringUtils::parseInlineMarkdown($word['notes']); ?></td>
+</tr>
+<?php endif; ?>
 <?php if ($tags !== '') : ?>
 <tr>
     <td class="td1 right">Tags:</td>

src/frontend/js/core/inline_markdown.ts

@@ -0,0 +1,113 @@
+/**
+ * Inline Markdown Parser
+ *
+ * Parses inline Markdown syntax to HTML.
+ * Supports: **bold**, *italic*, [links](url), ~~strikethrough~~
+ *
+ * Security:
+ * - HTML is escaped before parsing (XSS prevention)
+ * - Only http/https/relative URLs allowed in links
+ * - Generated tags: <strong>, <em>, <del>, <a>
+ *
+ * @license Unlicense <http://unlicense.org/>
+ * @since   3.0.0
+ */
+
+/**
+ * Escape HTML special characters.
+ *
+ * @param str - Input string
+ * @returns String with HTML entities escaped
+ */
+function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#039;');
+}
+
+/**
+ * Sanitize URL for safe use in href attribute.
+ *
+ * Only allows http, https, and relative URLs.
+ * Blocks javascript:, data:, and other potentially dangerous protocols.
+ *
+ * @param url - URL to sanitize
+ * @returns Safe URL or '#' if blocked
+ */
+function sanitizeUrl(url: string): string {
+  const trimmed = url.trim();
+
+  // Allow relative URLs
+  if (
+    trimmed.startsWith('/') ||
+    trimmed.startsWith('./') ||
+    trimmed.startsWith('../')
+  ) {
+    return trimmed;
+  }
+
+  // Allow http/https
+  if (/^https?:\/\//i.test(trimmed)) {
+    return trimmed;
+  }
+
+  // Block everything else (javascript:, data:, etc.)
+  return '#';
+}
+
+/**
+ * Parse inline Markdown to HTML.
+ *
+ * Processing order matters:
+ * 1. Escape HTML first (security)
+ * 2. Links [text](url) - most specific pattern
+ * 3. Bold **text**
+ * 4. Italic *text* (after bold to avoid conflicts)
+ * 5. Strikethrough ~~text~~
+ *
+ * @param text - Input text with Markdown
+ * @returns HTML string
+ */
+export function parseInlineMarkdown(text: string): string {
+  if (!text) return '';
+
+  // Step 1: Escape HTML characters first
+  let result = escapeHtml(text);
+
+  // Step 2: Links [text](url)
+  result = result.replace(
+    /\[([^\]]+)\]\(([^)]+)\)/g,
+    (_, linkText: string, url: string) => {
+      const safeUrl = sanitizeUrl(url);
+      return `<a href="${safeUrl}" target="_blank" rel="noopener noreferrer">${linkText}</a>`;
+    }
+  );
+
+  // Step 3: Bold **text**
+  result = result.replace(/\*\*([^*]+)\*\*/g, '<strong>$1</strong>');
+
+  // Step 4: Italic *text* (not preceded/followed by asterisk)
+  result = result.replace(/(?<!\*)\*([^*]+)\*(?!\*)/g, '<em>$1</em>');
+
+  // Step 5: Strikethrough ~~text~~
+  result = result.replace(/~~([^~]+)~~/g, '<del>$1</del>');
+
+  return result;
+}
+
+/**
+ * Check if text contains any inline Markdown syntax.
+ *
+ * Useful for optimization - skip parsing if no Markdown present.
+ *
+ * @param text - Input text
+ * @returns True if Markdown syntax detected
+ */
+export function containsMarkdown(text: string): boolean {
+  if (!text) return false;
+  // Check for: **bold**, *italic*, [link](url), ~~strike~~
+  return /\*\*|(?<!\*)\*(?!\*)|\[.+\]\(.+\)|~~/.test(text);
+}

src/frontend/js/main.ts

@@ -30,6 +30,7 @@ import './core/ui_utilities';
 import './core/user_interactions';
 import './core/language_settings';
 import './core/simple_interactions';
+import { parseInlineMarkdown } from './core/inline_markdown';
 
 // API modules (Phase 1 - centralized API client)
 import './api/terms';
@@ -172,6 +173,10 @@ declare global {
 // Initialize Alpine.js globally
 window.Alpine = Alpine;
 
+// Register Alpine.js magic method for inline Markdown parsing
+// Usage in templates: x-html="$markdown(text)"
+Alpine.magic('markdown', () => (text: string) => parseInlineMarkdown(text));
+
 // Start Alpine.js
 Alpine.start();
 

src/frontend/js/reading/components/text_reader.ts

@@ -142,7 +142,12 @@ export function textReaderData(): TextReaderData {
         showAll: this.showAll,
         showTranslations: this.showTranslations,
         rightToLeft: this.store.rightToLeft,
-        textSize: this.store.textSize
+        textSize: this.store.textSize,
+        // Annotation settings required for Markdown-rendered translations
+        showLearning: this.store.showLearning,
+        displayStatTrans: this.store.displayStatTrans,
+        modeTrans: this.store.modeTrans,
+        annTextSize: this.store.annTextSize
       };
     },