Replace marked.js with markdown-it to eliminate ReDoS vulnerability (#36213).
Behavior remains consistent with original marked.js except for task lists
(- [ ] / - [x]) which now render as checkboxes via markdown-it-task-lists.
To preserve marked.js behavior:
- Enable GFM strikethrough (~~text~~)
- Disable fuzzyLink to avoid auto-linking bare filenames like README.md
- Add www. autolink validator per GFM spec (trailing punctuation, balanced parens)
- Override html_block/html_inline to escape raw HTML
- Override image renderer: alt text for remote URLs, allow base64 data URIs
- Override fence/code_block: copy button and JSON collapse
- Dangerous schemes (javascript:, vbscript:, file:) sanitized by DOMPurify
New: task-list checkbox styling for .chat-text, .sidebar-markdown, .chat-thinking
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
6aeedeb401