From c8d9b97ab79aa0586eb04394798bbac83267294f Mon Sep 17 00:00:00 2001
From: raizasafeel <89463672+raizasafeel@users.noreply.github.com>
Date: Tue, 3 Feb 2026 14:01:48 +0530
Subject: [PATCH 1/5] refactor: reuse function 'escapehtml' from utils

---
 frontend/src/utils/markdownParser.js | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/frontend/src/utils/markdownParser.js b/frontend/src/utils/markdownParser.js
index 493bcb47..e11f2a13 100644
--- a/frontend/src/utils/markdownParser.js
+++ b/frontend/src/utils/markdownParser.js
@@ -1,5 +1,6 @@
 import { CodeXml } from 'lucide-vue-next'
 import { createApp, h } from 'vue'
+import { escapeHTML } from '@/utils'
 
 export class Markdown {
 	constructor({ data, api, readOnly, config }) {
@@ -301,7 +302,7 @@ export class Markdown {
 	_parseInlineMarkdown(text) {
 		if (!text) return ''
 
-		let html = this._escapeHtml(text)
+		let html = escapeHTML(text)
 
 		html = html.replace(/`([^`]+)`/g, '<code class="inline-code">$1</code>')
 
@@ -316,15 +317,6 @@ export class Markdown {
 		return html
 	}
 
-	_escapeHtml(text) {
-		return text
-			.replace(/&/g, '&amp;')
-			.replace(/</g, '&lt;')
-			.replace(/>/g, '&gt;')
-			.replace(/"/g, '&quot;')
-			.replace(/'/g, '&#39;')
-	}
-
 	_togglePlaceholder() {
 		const blocks = document.querySelectorAll(
 			'.cdx-block.ce-paragraph[data-placeholder]'

From dc25b408e64592cc93160f3e324efeb35f5f9d67 Mon Sep 17 00:00:00 2001
From: raizasafeel <89463672+raizasafeel@users.noreply.github.com>
Date: Tue, 3 Feb 2026 14:51:17 +0530
Subject: [PATCH 2/5] fix(vimeo): video player is rendered for private videos
 and unsanitized vimeo links

---
 frontend/src/utils/index.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/src/utils/index.js b/frontend/src/utils/index.js
index e0a69d55..acf6c068 100644
--- a/frontend/src/utils/index.js
+++ b/frontend/src/utils/index.js
@@ -169,10 +169,10 @@ export function getEditorTools() {
 						id: ([id]) => id,
 					},
 					vimeo: {
-						regex: /(?:http[s]?:\/\/)?(?:www\.)?vimeo\.com\/(\d+)/,
+						regex: /(?:http[s]?:\/\/)?(?:www\.)?vimeo\.com\/(\d+)(?:\/([a-zA-Z0-9]+))?(?:\?[^\s]*)?/,
 						embedUrl: '<%= remote_id %>',
 						html: `<div class="video-player" data-plyr-provider="vimeo"></div>`,
-						id: ([id]) => id,
+						id: ([id, hash]) => (hash ? `${id}?h=${hash}` : id),
 					},
 					cloudflareStream: {
 						regex: /https:\/\/customer-[a-z0-9]+\.cloudflarestream\.com\/([a-f0-9]{32})\/watch/,

From 3b49aac1b393382c4d1cebd333104d49240be165 Mon Sep 17 00:00:00 2001
From: raizasafeel <89463672+raizasafeel@users.noreply.github.com>
Date: Tue, 3 Feb 2026 16:14:58 +0530
Subject: [PATCH 3/5] refactor: removed unused functions

---
 frontend/src/utils/markdownParser.js | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/frontend/src/utils/markdownParser.js b/frontend/src/utils/markdownParser.js
index e11f2a13..1e3cf6dd 100644
--- a/frontend/src/utils/markdownParser.js
+++ b/frontend/src/utils/markdownParser.js
@@ -421,16 +421,6 @@ export class Markdown {
 		return { alt: '', url: '' }
 	}
 
-	_isLink(text) {
-		return /\[.+?\]\(.+?\)/.test(text)
-	}
-
-	_extractLink(text) {
-		const match = text.match(/\[(.+?)\]\((.+?)\)/)
-		if (match) return { text: match[1], url: match[2] }
-		return { text: '', url: '' }
-	}
-
 	_isEmbed(text) {
 		return /^https?:\/\/.+/.test(text.trim())
 	}

From 2f3fa7c2957d3a34c50408de4f4d9927354ca27b Mon Sep 17 00:00:00 2001
From: raizasafeel <89463672+raizasafeel@users.noreply.github.com>
Date: Tue, 3 Feb 2026 16:22:50 +0530
Subject: [PATCH 4/5] fix: added regex anchors to embed urls

---
 frontend/src/utils/index.js | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/frontend/src/utils/index.js b/frontend/src/utils/index.js
index acf6c068..5da880ae 100644
--- a/frontend/src/utils/index.js
+++ b/frontend/src/utils/index.js
@@ -162,20 +162,20 @@ export function getEditorTools() {
 			config: {
 				services: {
 					youtube: {
-						regex: /(?:https?:\/\/)?(?:www\.)?(?:(?:youtu\.be\/)|(?:youtube\.com)\/(?:v\/|u\/\w\/|embed\/|watch))(?:(?:\?v=)?([^#&?=]*))?((?:[?&]\w*=\w*)*)/,
+						regex: /^(?:https?:\/\/)?(?:www\.)?(?:(?:youtu\.be\/)|(?:youtube\.com)\/(?:v\/|u\/\w\/|embed\/|watch))(?:(?:\?v=)?([^#&?=]*))?((?:[?&]\w*=\w*)*)$/,
 						embedUrl: '<%= remote_id %>',
 						/* 'https://www.youtube.com/embed/<%= remote_id %>?origin=https://plyr.io&amp;iv_load_policy=3&amp;modestbranding=1&amp;playsinline=1&amp;showinfo=0&amp;rel=0&amp;enablejsapi=1' */
 						html: `<div class="video-player" data-plyr-provider="youtube"></div>`,
 						id: ([id]) => id,
 					},
 					vimeo: {
-						regex: /(?:http[s]?:\/\/)?(?:www\.)?vimeo\.com\/(\d+)(?:\/([a-zA-Z0-9]+))?(?:\?[^\s]*)?/,
+						regex: /^(?:http[s]?:\/\/)?(?:www\.)?vimeo\.com\/(\d+)(?:\/([a-zA-Z0-9]+))?(?:\?[^\s]*)?$/,
 						embedUrl: '<%= remote_id %>',
 						html: `<div class="video-player" data-plyr-provider="vimeo"></div>`,
 						id: ([id, hash]) => (hash ? `${id}?h=${hash}` : id),
 					},
 					cloudflareStream: {
-						regex: /https:\/\/customer-[a-z0-9]+\.cloudflarestream\.com\/([a-f0-9]{32})\/watch/,
+						regex: /^https:\/\/customer-[a-z0-9]+\.cloudflarestream\.com\/([a-f0-9]{32})\/watch$/,
 						embedUrl:
 							'https://iframe.videodelivery.net/<%= remote_id %>',
 						html: `<iframe style="width:100%; height: ${
@@ -183,7 +183,7 @@ export function getEditorTools() {
 						};" frameborder="0" allowfullscreen></iframe>`,
 					},
 					bunnyStream: {
-						regex: /https:\/\/(?:iframe\.mediadelivery\.net|video\.bunnycdn\.com)\/play\/([a-zA-Z0-9]+\/[a-zA-Z0-9-]+)/,
+						regex: /^https:\/\/(?:iframe\.mediadelivery\.net|video\.bunnycdn\.com)\/play\/([a-zA-Z0-9]+\/[a-zA-Z0-9-]+)$/,
 						embedUrl:
 							'https://iframe.mediadelivery.net/embed/<%= remote_id %>',
 						html: `<iframe style="width:100%; height: ${
@@ -192,7 +192,7 @@ export function getEditorTools() {
 					},
 					codepen: true,
 					aparat: {
-						regex: /(?:http[s]?:\/\/)?(?:www.)?aparat\.com\/v\/([^\/\?\&]+)\/?/,
+						regex: /^(?:http[s]?:\/\/)?(?:www.)?aparat\.com\/v\/([^\/\?\&]+)\/?$/,
 						embedUrl:
 							'https://www.aparat.com/video/video/embed/videohash/<%= remote_id %>/vt/frame',
 						html: `<iframe style="margin: 0 auto; width: 100%; height: ${
@@ -201,7 +201,7 @@ export function getEditorTools() {
 					},
 					github: true,
 					slides: {
-						regex: /https:\/\/docs\.google\.com\/presentation\/d\/([A-Za-z0-9_-]+)\/pub/,
+						regex: /^https:\/\/docs\.google\.com\/presentation\/d\/([A-Za-z0-9_-]+)\/pub$/,
 						embedUrl:
 							'https://docs.google.com/presentation/d/<%= remote_id %>/embed',
 						html: `<iframe style='width: 100%; height: ${
@@ -209,7 +209,7 @@ export function getEditorTools() {
 						}; border: 1px solid #D3D3D3; border-radius: 12px; margin: 1rem 0' frameborder='0' allowfullscreen='true'></iframe>`,
 					},
 					drive: {
-						regex: /https:\/\/drive\.google\.com\/file\/d\/([A-Za-z0-9_-]+)\/view(\?.+)?/,
+						regex: /^https:\/\/drive\.google\.com\/file\/d\/([A-Za-z0-9_-]+)\/view(\?.+)?$/,
 						embedUrl:
 							'https://drive.google.com/file/d/<%= remote_id %>/preview',
 						html: `<iframe style='width: 100%; height: ${
@@ -217,19 +217,19 @@ export function getEditorTools() {
 						}; border: 1px solid #D3D3D3; border-radius: 12px;' frameborder='0' allowfullscreen='true'></iframe>`,
 					},
 					docsPublic: {
-						regex: /https:\/\/docs\.google\.com\/document\/d\/([A-Za-z0-9_-]+)\/edit(\?.+)?/,
+						regex: /^https:\/\/docs\.google\.com\/document\/d\/([A-Za-z0-9_-]+)\/edit(\?.+)?$/,
 						embedUrl:
 							'https://docs.google.com/document/d/<%= remote_id %>/preview',
 						html: "<iframe style='width: 100%; height: 40rem; border: 1px solid #D3D3D3; border-radius: 12px;' frameborder='0' allowfullscreen='true'></iframe>",
 					},
 					sheetsPublic: {
-						regex: /https:\/\/docs\.google\.com\/spreadsheets\/d\/([A-Za-z0-9_-]+)\/edit(\?.+)?/,
+						regex: /^https:\/\/docs\.google\.com\/spreadsheets\/d\/([A-Za-z0-9_-]+)\/edit(\?.+)?$/,
 						embedUrl:
 							'https://docs.google.com/spreadsheets/d/<%= remote_id %>/preview',
 						html: "<iframe style='width: 100%; height: 40rem; border: 1px solid #D3D3D3; border-radius: 12px;' frameborder='0' allowfullscreen='true'></iframe>",
 					},
 					slidesPublic: {
-						regex: /https:\/\/docs\.google\.com\/presentation\/d\/([A-Za-z0-9_-]+)\/edit(\?.+)?/,
+						regex: /^https:\/\/docs\.google\.com\/presentation\/d\/([A-Za-z0-9_-]+)\/edit(\?.+)?$/,
 						embedUrl:
 							'https://docs.google.com/presentation/d/<%= remote_id %>/embed',
 						html: "<iframe style='width: 100%; height: 30rem; border: 1px solid #D3D3D3; border-radius: 12px; margin: 1rem 0;' frameborder='0' allowfullscreen='true'></iframe>",

From 8453226f29098a12c4066ac05c9881d92409220e Mon Sep 17 00:00:00 2001
From: raizasafeel <89463672+raizasafeel@users.noreply.github.com>
Date: Tue, 17 Feb 2026 11:36:31 +0530
Subject: [PATCH 5/5] fix: add vimeo emded URL to extract hash properly

---
 frontend/src/utils/index.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/frontend/src/utils/index.js b/frontend/src/utils/index.js
index 225eafb7..f560d061 100644
--- a/frontend/src/utils/index.js
+++ b/frontend/src/utils/index.js
@@ -170,7 +170,8 @@ export function getEditorTools() {
 					},
 					vimeo: {
 						regex: /^(?:http[s]?:\/\/)?(?:www\.)?vimeo\.com\/(\d+)(?:\/([a-zA-Z0-9]+))?(?:\?[^\s]*)?$/,
-						embedUrl: '<%= remote_id %>',
+						embedUrl:
+							'https://player.vimeo.com/video/<%= remote_id %>',
 						html: `<div class="video-player" data-plyr-provider="vimeo"></div>`,
 						id: ([id, hash]) => (hash ? `${id}?h=${hash}` : id),
 					},