V1.2.0#64
Merged
Merged
Conversation
Implements issue #61. Standard Markdown links whose target begins with a UE package root (/Game/, /Engine/, /Plugins/, /Script/) are rewritten to the ueasset:// scheme and open in their asset editor. The class:// scheme resolves to a native UClass (opened in the IDE via FSourceCodeNavigation) or a Blueprint asset (opened in the Blueprint editor). Broken-link styling now covers ueasset:// and class:// targets. https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
FSourceCodeNavigation::NavigateToClass opens the header by default, but clicking class://Actor is expected to land in the implementation. Try FindClassSourcePath + OpenSourceFile first and fall back to the header only when no .cpp exists (header-only classes / interfaces). https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
UHT strips the leading A/U/I prefix from native class reflection names (AActor -> "Actor", UObject -> "Object"), so class://AActor previously failed to resolve and was flagged as a broken link. Extract candidate generation into BuildClassNameCandidates which both strips and adds prefixes, letting the detector and opener accept either form. https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
Previously the full package path was percent-encoded including every '/', producing URLs like "ueasset://%2FGame%2FFoo%2FBar" with no real path component. CEF could not parse that as navigable, so clicking a Blueprint link blanked the preview and the asset never opened. Switch to a path-aware encoder that leaves '/' literal, yielding well-formed "ueasset:///Game/Foo/Bar" URLs that reach HandleBeforeNavigation. https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
Every <a href> emitted by the preview, the URL received by HandleBeforeNavigation, and each resolution step inside OpenLinkedUnrealAsset / OpenLinkedClass now emit Display-level logs in the LogMarkdownAssetEditor category. Temporary diagnostics for tracking down why Blueprint link clicks blank the preview. https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
The previous FSoftObjectPath-based query returned invalid FAssetData for Blueprint targets even when the asset existed on disk, so clicking a /Game/... link silently failed. Replace the lookup with a three-tier chain: 1. AssetRegistry::GetAssetsByPackageName — the canonical package-based query that reliably hits indexed Content Browser assets. 2. Legacy GetAssetByObjectPath for both raw and dotted forms, preserved as a compatibility fallback. 3. StaticLoadObject as a last resort so on-disk packages that have not been indexed yet still open. DoesAssetExistAtPath mirrors the same strategy plus FPackageName::DoesPackageExist so broken-link highlighting matches runtime resolution. https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
The earlier log showed FAssetData::IsValid() returning true for the Blueprint target while GetAsset() still returned nullptr, so the lookup silently fell through. Switch to FAssetData::GetSoftObjectPath().TryLoad() so we use the canonical object path stored in the registry and force a synchronous load, and add logging for AssetName/PackageName/ClassPath so we can see which asset the registry actually matched. Also add a LoadPackage + ForEachObjectWithPackage tier after StaticLoadObject: when the leaf name inside a package does not match the file name we can still recover the first real asset contained in the package. https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
- Promote the Unreleased changelog entry to [1.2.0] - 2026-04-18 - Bump MarkdownAsset.uplugin to VersionName 1.2.0 (Version 3) - Document the new linking syntax with a dedicated table in both README.md and README.ja.md (mdasset://, ueasset://, class://, https://) - Drop the temporary [LinkDebug] diagnostic logs now that the feature is verified; keep Warning-level logs for genuine lookup failures https://claude.ai/code/session_01TNergLaAd33WFGjABwPLpE
…-61-xgEni Add asset and class link support to Markdown editor
UE 5.6 removed UMetaData (UObject) in favor of FMetaData (struct), so the IsA<UMetaData>() filter no longer compiles. Wrap the include and check with UE_VERSION_OLDER_THAN(5, 6, 0) to keep 5.5 support. https://claude.ai/code/session_01844YrCL6CQoEydz2kt476F
…rror-emnQG Guard UMetaData filter for UE 5.6+ build
Default-deny any scheme that is not explicitly recognized (data:, about:, mdasset://, ueasset://, class://, http(s)://). md4c-html does not sanitize URL schemes, so a crafted link such as [click](javascript:...) would previously execute script in the preview WebBrowser when clicked, allowing exfiltration of rendered content via fetch() or SSRF against localhost services.
Document that the preview browser's navigation handler now uses a strict allowlist and blocks unknown schemes such as javascript: and file: to prevent script execution from untrusted Markdown content.
Injects a CSP meta tag that allows only inline styles and data: URIs for images, blocking all other network requests (scripts, external images, fetch/XHR, frames). This prevents SSRF against localhost services and IP/UA tracking via image pixels embedded in untrusted Markdown assets.
Document that a Content-Security-Policy header is now injected into every preview page, blocking external network requests to prevent IP tracking and SSRF against local services.
The preview hides the address bar, so users have no way to inspect a link's destination before clicking. Always present the full URL in a Yes/No dialog and only call LaunchURL when the user confirms, to mitigate phishing via crafted Markdown assets.
Note that http(s):// links now always prompt for confirmation before launching in the system browser, as a phishing mitigation for the preview which has no address bar.
The config pointed to Plugins/MarkdownEditor/Source, which no longer exists after the plugin was renamed to MarkdownAsset. Gather therefore collected zero source-literal entries. Point it at the real source tree so LOCTEXT/NSLOCTEXT strings (including the new external-URL confirmation dialog) are picked up again.
LOCTEXT source strings with \n\n{0} required translators to type
escape sequences in the Localization Dashboard, which stores text
verbatim (no C-escape interpretation), causing \n\n to render as
literal characters in the UI.
Move the newline+URL concatenation to C++ code so the localizable
string is a plain question sentence with no format tokens.
Record the URL-scheme allowlist, preview CSP, external-URL confirmation dialog, and the MarkdownEditor_Gather.ini path fix under the 1.2.0 release.
…/github.com/EmbarrassingMoment/MarkdownAssetProject into claude/browser-plugin-security-review-K6C86
…security-review-K6C86 Enhance security: add CSP header and strengthen navigation filtering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.