github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 06:07:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ui): escape raw HTML in chat messages instead of rendering it (#13952)

Browse Source 
Co-authored-by: 0xRaini <0xRaini@users.noreply.github.com>
This commit is contained in:
0xRain
2026-02-12 07:40:40 +08:00
committed by GitHub
parent 729181bd06
commit bebba124e8
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ui/src/ui/markdown.ts
View File

@@ -112,7 +112,9 @@ export function toSanitizedMarkdownHtml(markdown: string): string {
} }
return sanitized; return sanitized;
} }
const rendered = marked.parse(`${truncated.text}${suffix}`) as string; const rendered = marked.parse(`${truncated.text}${suffix}`, {
renderer: htmlEscapeRenderer,
}) as string;
const sanitized = DOMPurify.sanitize(rendered, { const sanitized = DOMPurify.sanitize(rendered, {
ALLOWED_TAGS: allowedTags, ALLOWED_TAGS: allowedTags,
ALLOWED_ATTR: allowedAttrs, ALLOWED_ATTR: allowedAttrs,
@@ -123,6 +125,13 @@ export function toSanitizedMarkdownHtml(markdown: string): string {
return sanitized; return sanitized;
} }
// Prevent raw HTML in chat messages from being rendered as formatted HTML.
// Display it as escaped text so users see the literal markup.
// Security is handled by DOMPurify, but rendering pasted HTML (e.g. error
// pages) as formatted output is confusing UX (#13937).
const htmlEscapeRenderer = new marked.Renderer();
htmlEscapeRenderer.html = ({ text }: { text: string }) => escapeHtml(text);
function escapeHtml(value: string): string { function escapeHtml(value: string): string {
return value return value
.replace(/&/g, "&amp;") .replace(/&/g, "&amp;")