🧐[问题] Chat component renders HTML leading to potential XSS attacks

[SSK-14]

🧐 问题描述

When the chat output/input contains markdown content starting with code fences ``` without specifying a language (e.g., (code fences)html or (code fences)bash), it defaults to txt. If there is HTML code inside it, the HTML gets rendered, making the component prone to XSS attacks. Is there any way to overcome this issue?

💻 示例代码

code fences

<form action="action_page.php" method="post">

  <div class="imgcontainer">
    <img src="img_avatar2.png" alt="Avatar" class="avatar">
  </div>
  
  <div class="container">
    <label for="uname"><b>Username</b></label>
    <input type="text" placeholder="Enter Username" name="uname" required>
    
    <label for="psw"><b>Password</b></label>
    <input type="password" placeholder="Enter Password" name="psw" required>
    
    <label>
      <input type="checkbox" checked="checked" name="remember"> Remember me
    </label>

    <button type="submit">Login</button>
  </div>
  
  <div class="container" style="background-color:#f1f1f1">
    <button type="button" class="cancelbtn">Cancel</button>
    <span class="psw">Forgot <a href="#">password?</a></span>
  </div>
  
</form>

code fences

🚑 其他信息
No additional information at the moment, but the issue is relevant for security and user content sanitization.

[ONLY-yours]

by design, we not suggest u should render some html dom in Markdown, it can do it, but not suggested

the good way is use ChatItemRenderConfig to render a custom dom

looking about this: https://pro-chat.antdigital.dev/guide/chat-item-render-config

we made a case about this

[ONLY-yours]

@SSK-14