From 2b969ee66875ae4d323fc2a33ecd2437ab83e3aa Mon Sep 17 00:00:00 2001 From: shinchan-zhai Date: Mon, 23 Mar 2026 09:44:32 +0800 Subject: [PATCH] security: sanitize markdown link URLs to prevent javascript: XSS Only allow http/https URLs in rendered markdown links. Replace any non-http(s) URL with '#' to prevent potential javascript: URI attacks. --- web/src/pages/AgentChatPage.tsx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/web/src/pages/AgentChatPage.tsx b/web/src/pages/AgentChatPage.tsx index db98bc82..887e43bd 100644 --- a/web/src/pages/AgentChatPage.tsx +++ b/web/src/pages/AgentChatPage.tsx @@ -189,10 +189,13 @@ function renderInline(text: string): (string | JSX.Element)[] { } else if (part.match(/^\[([^\]]+)\]\(([^)]+)\)$/)) { const match = part.match(/^\[([^\]]+)\]\(([^)]+)\)$/) if (match) { + const href = match[2] + // Only allow http/https links to prevent javascript: XSS + const safeHref = /^https?:\/\//i.test(href) ? href : '#' result.push(