ADFA-2611: Fix tooltip HTML tags rendering as literal text

[Daniel-ADFA]

Remove Html.escapeHtml() from tooltip summary and detail content
so HTML formatting tags (e.g., for bold) render properly in
the WebView instead of displaying as literal text.

[coderabbitai]

📝 Walkthrough

• Change: Stop escaping HTML in tooltip summary and detail so WebView renders tags (e.g., ) instead of showing them as text.
• Impact: Tooltips can include basic HTML formatting; blank detail now preserved as empty string.
• Compatibility: No public API signature changes.
• Risks:
  • Security: Potential HTML/JS injection if tooltip content is not fully trusted. Rendering raw HTML in a WebView can expose XSS vectors.
  • Stability: Malformed HTML could break layout or styling; unexpected rendering differences across Android versions.
• Best-practice considerations:
  • Sanitize/whitelist allowed tags and attributes before rendering.
  • Ensure WebView JavaScript is disabled unless strictly required.
  • Avoid inline event handlers and external resource loading.
  • Add tests for HTML content, blank/whitespace-only detail, and long/complex markup.

Walkthrough

Simplified tooltip HTML generation by removing HTML escaping for summary content and refactoring detail handling to use ifBlank pattern instead of explicit null/blank checks, while preserving button HTML generation logic.

Changes

Cohort / File(s)	Summary
Tooltip HTML Escaping Refactoring idetooltips/src/main/java/com/itsaky/androidide/idetooltips/ToolTipManager.kt	Removed HTML escaping for summary at detail level 0 (now uses raw tooltipItem.summary); simplified detail content handling at level 1 by replacing explicit isNotBlank() checks with ifBlank { "" } pattern; button HTML generation preserved

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix(ADFA-1902): Escape HTML characters in tooltips #779 — Directly conflicts with this PR by adding Html.escapeHtml for summary and detail in the same ToolTipManager.kt file, while this PR removes escaping entirely.

Suggested reviewers

• dara-abijo-adfa
• itsaky-adfa
• jomen-adfa
• jatezzz

Poem

🐰 No more escaping, plain text flows so free,
HTML tags dancing in simplicity,
ifBlank whispers where conditions once were,
Less is more in this code—a tooltip blur! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing HTML tags in tooltips to render properly instead of as literal text.
Description check	✅ Passed	The description is directly related to the changeset, explaining the removal of Html.escapeHtml() and its purpose for proper HTML rendering in WebView.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

idetooltips/src/main/java/com/itsaky/androidide/idetooltips/ToolTipManager.kt (1)

280-297: Potential XSS risk with unescaped database content rendered in JavaScript-enabled WebView.

Removing Html.escapeHtml() allows HTML formatting to render, but also opens a potential XSS vector since:

1. JavaScript is enabled on the WebView (line 321)
2. The debug database can be loaded from external storage (/Download/documentation.db), which is user-accessible

If a malicious database contains <script> tags or event handlers (e.g., <img onerror="...">), they would execute in the WebView context.

Consider one of these mitigations:

• Sanitize HTML to allow only safe formatting tags (<b>, <i>, <br>, etc.) while stripping scripts and event handlers
• Disable JavaScript on the WebView if not strictly required for tooltip rendering
• Only allow unescaped HTML from the bundled production database, not the debug database

Android WebView HTML sanitization libraries for safe HTML rendering

🧹 Nitpick comments (1)

idetooltips/src/main/java/com/itsaky/androidide/idetooltips/ToolTipManager.kt (1)

321-323: Consider disabling JavaScript if not required for tooltip display.

With HTML escaping removed, keeping JavaScript enabled increases the attack surface. If the tooltips only need to render basic HTML formatting (<b>, <br>, etc.), JavaScript can be disabled:

♻️ Suggested change

-        webView.settings.javaScriptEnabled = true
+        webView.settings.javaScriptEnabled = false