✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@sea-turt1e I think it would be good to add an e2e test as well.

@sfc-gh-lwilby
I added e2e test, and update by some github copilot revlew.

Looks good from product side! @sfc-gh-lwilby do you want to finish the review for this?

Summary

This PR fixes issue #7359 where buttons with labels containing markdown syntax tokens like +, -, 1., *** were being stripped or rendered incorrectly by the markdown processor. The fix introduces a new escapeMarkdownForLabel() function in StreamlitMarkdown.tsx that escapes markdown syntax that would otherwise be interpreted as list markers, horizontal rules, or quote markers when isLabel is true.

Changes:

• Added escapeMarkdownForLabel() and escapeMarkdownLineForLabel() functions to escape problematic markdown tokens in labels
• Added SINGLE_CHARACTER_LABEL_TOKENS constant (+, -, *, >)
• Modified processedSource to apply escaping when rendering labels
• Added frontend unit tests for literal markdown tokens
• Added E2E tests with buttons using literal markdown token labels

Code Quality

The implementation is well-structured and follows the codebase patterns:

Positives:

1. The escaping logic in escapeMarkdownLineForLabel() is clear and well-commented
2. Proper handling of edge cases:
   • Preserves leading/trailing whitespace
   • Handles empty strings and whitespace-only content
   • Handles both Unix (\n) and Windows (\r\n) line endings
   • Escapes backslashes first to avoid double-escaping
3. Covers the key markdown tokens that cause issues:
   • Single character tokens: +, -, *, >
   • Ordered list tokens: 1., 2), etc.
   • Horizontal rules: ---, ***, ___, - - -, * * *, _ _ _
4. The useMemo hook correctly includes isLabel in its dependency array

Minor observation:

• Line 17 in StreamlitMarkdown.tsx removes React from the import, which is fine since React 17+ supports JSX without explicit React import. This is a minor cleanup, not a concern.

Test Coverage

Frontend Unit Tests (StreamlitMarkdown.test.tsx):

• Added comprehensive test cases using test.each for parameterized testing
• Tests cover +, -, >, 1., *** tokens
• Tests verify the text is visible using toBeVisible() assertion (following best practices)
• Properly cleans up between test cases with cleanup()

E2E Tests (st_button_test.py):

• Added test test_literal_markdown_token_labels with clear docstring
• Uses get_element_by_key for stable locators (following best practices)
• Tests +, -, 1., *** tokens
• Updated TOTAL_BUTTONS count from 27 to 31

Note: The > token is tested in unit tests but not in E2E tests. This is acceptable since blockquotes (>) are already in the LABEL_DISALLOWED_ELEMENTS list, so the escaping provides defense-in-depth but the element would be unwrapped anyway.

Backwards Compatibility

No breaking changes. This fix:

• Only affects labels (isLabel=true)
• Previously, tokens like +, - were being stripped/invisible
• Now they render as expected
• This is purely a bug fix that improves behavior for existing use cases

Security & Risk

No security concerns identified:

• The change is purely presentation logic for markdown escaping
• Input is already processed through React Markdown's sanitization
• No new user input pathways or DOM manipulation introduced
• The escaping logic is defensive and doesn't introduce injection vectors

Risk Assessment: Low

• The change is isolated to the isLabel code path
• Existing tests for non-label markdown rendering continue to pass
• The escaping approach (backslash escaping) is standard markdown practice

Recommendations

The PR is well-implemented. A few optional improvements for consideration:

1. Consider adding edge case unit tests (optional):

   • Multi-line labels with tokens (e.g., "Line 1\n+\nLine 3")
   • Labels with multiple consecutive tokens (e.g., "+ - *")
   • Labels mixing tokens with regular text (e.g., "Click + to add")

2. Minor code organization (optional):
   The SINGLE_CHARACTER_LABEL_TOKENS constant could be defined closer to where escapeMarkdownLineForLabel() uses it (currently at line 741, used at line 683) for better code locality.

These are minor suggestions and not blockers for merging.

Verdict

APPROVED: This is a clean, well-tested fix for a legitimate bug affecting button labels with markdown tokens. The implementation is sound, test coverage is adequate, and there are no backwards compatibility or security concerns.

This is an automated AI review. Please verify the feedback and use your judgment.

Hi @sea-turt1e! I ran a readiness check on this PR to see what needs attention before we can move forward with review. Here's what I found:

Status: Not Ready for Review Yet

Good news: Your PR is well-written with comprehensive tests and already has product approval! However, there are a couple of CI failures that need to be fixed first.

What Needs to Be Fixed

1. Frontend Linter Failure ⚠️

The js-unit-tests check is failing at the linter step. Please run:

make frontend-lint

If there are any linting errors, you can auto-fix them with:

make frontend-format

2. E2E Test Failure ⚠️

The playwright-e2e-tests check is failing. This is likely a snapshot mismatch from your new tests. You can update the snapshots by running:

make update-snapshots

This command will fetch the snapshot differences from the CI run and update them locally.

Note: The E2E test you added looks good structurally! The failure is likely just missing snapshots or a minor formatting issue.

Infrastructure Issues (Not Your Fault)

Two checks show as "failed" but they're actually infrastructure issues posting comments to the PR:

• ❌ check-size - The size comparison passed, but the workflow failed when trying to post a comment
• ❌ py-coverage-report - The coverage report generated successfully, but the workflow failed when trying to post a comment

You don't need to fix these - they're workflow permission/API issues that a maintainer will need to investigate.

Your PR Quality Score: 72/100 (Grade: B-)

The code quality is strong! Just a couple minor CI issues to fix. Here's the breakdown:

• Documentation: 25/30 ✅ - Great title, clear description, helpful screenshot
• Technical: 30/40 ✅ - Comprehensive tests, good implementation, just needs formatting/snapshots
• Responsiveness: 17/30 ✅ - You've been responsive to feedback

Once you fix the linter and snapshots, your score will jump to ~85+ (A-)!

Next Steps

1. Fix the linter and E2E test failures (commands above)
2. Push your fixes to this branch
3. Request CI re-run: Tag me in a comment (@sfc-gh-lwilby) to re-run the CI checks
4. Once CI is green: I'll move forward with the review!

Context for Your Understanding

This PR fixes a real bug (issue #7359) where buttons with markdown tokens like +, -, *** were being stripped or rendered incorrectly. Your implementation:

✅ Has comprehensive frontend unit tests
✅ Has E2E tests (as requested by @sfc-gh-lwilby)
✅ Already has product approval from @jrieke
✅ Received a positive automated code review
✅ Addresses the issue correctly with proper markdown escaping

The automated reviewer noted your fix is "clean, well-tested" with only optional suggestions for edge cases. Once CI is green, this should be a straightforward review!

Questions? Feel free to ask if you need help with any of the commands or run into issues. Thanks for your contribution! 🙏

Closing this since it was fixed in this PR: #13887