GeneralBots/botui
2
0
Fork 0
Code Activity Actions

fix: render HTML directly in bot messages without escaping
Some checks failed
BotUI CI / build (push) Failing after 55m10s
Details

Browse source 
- Detect HTML tags in bot responses and use content directly
- Fix for both addMessage and streaming (updateStreaming/finalizeStreaming)
- Prevents HTML source being shown to users
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2026-04-09 01:39:01 -03:00
parent 0c32befbb9
commit f903dd4918
2 changed files with 40 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
ui/suite/chat/chat.html
View file

@ -294,10 +294,15 @@
processedContent +
"</div>";
} else {
var parsed =
typeof marked !== "undefined" && marked.parse
// Check if content has HTML (any tag, including comments)
var hasHtmlTags = /<\/?[a-z][^>]*>|<!--|-->/i.test(content);
console.log("Bot message - hasHtmlTags:", hasHtmlTags, "content length:", content.length);
var parsed = hasHtmlTags
? content // Use HTML directly (no escaping!)
: (typeof marked !== "undefined" && marked.parse
? marked.parse(content)
: escapeHtml(content);
: escapeHtml(content));
parsed = renderMentionInMessage(parsed);
div.innerHTML =
'<div class="message-content bot-message">' +
@ -727,10 +732,13 @@
function updateStreaming(content) {
var el = document.getElementById(streamingMessageId);
if (el) {
var parsed =
typeof marked !== "undefined" && marked.parse
// Check if content has HTML tags
var hasHtmlTags = /<\/?[a-z][^>]*>|<!--|-->/i.test(content);
var parsed = hasHtmlTags
? content // Use HTML directly
: (typeof marked !== "undefined" && marked.parse
? marked.parse(content)
: escapeHtml(content);
: escapeHtml(content));
parsed = renderMentionInMessage(parsed);
el.querySelector(".message-content").innerHTML = parsed;
}
@ -739,10 +747,13 @@
function finalizeStreaming() {
var el = document.getElementById(streamingMessageId);
if (el) {
var parsed =
typeof marked !== "undefined" && marked.parse
// Check if content has HTML tags
var hasHtmlTags = /<\/?[a-z][^>]*>|<!--|-->/i.test(currentStreamingContent);
var parsed = hasHtmlTags
? currentStreamingContent // Use HTML directly
: (typeof marked !== "undefined" && marked.parse
? marked.parse(currentStreamingContent)
: escapeHtml(currentStreamingContent);
: escapeHtml(currentStreamingContent));
parsed = renderMentionInMessage(parsed);
el.querySelector(".message-content").innerHTML = parsed;
el.removeAttribute("id");

29
ui/suite/partials/chat.html
View file

@ -504,10 +504,15 @@
processedContent +
"</div>";
} else {
var parsed =
typeof marked !== "undefined" && marked.parse
// Check if content has HTML (any tag, including comments)
var hasHtmlTags = /<\/?[a-z][^>]*>|<!--|-->/i.test(content);
console.log("Bot message - hasHtmlTags:", hasHtmlTags, "content length:", content.length);
var parsed = hasHtmlTags
? content // Use HTML directly (no escaping!)
: (typeof marked !== "undefined" && marked.parse
? marked.parse(content)
: escapeHtml(content);
: escapeHtml(content));
parsed = renderMentionInMessage(parsed);
div.innerHTML =
'<div class="message-content bot-message">' +
@ -937,10 +942,13 @@
function updateStreaming(content) {
var el = document.getElementById(streamingMessageId);
if (el) {
var parsed =
typeof marked !== "undefined" && marked.parse
// Check if content has HTML tags
var hasHtmlTags = /<\/?[a-z][^>]*>|<!--|-->/i.test(content);
var parsed = hasHtmlTags
? content // Use HTML directly
: (typeof marked !== "undefined" && marked.parse
? marked.parse(content)
: escapeHtml(content);
: escapeHtml(content));
parsed = renderMentionInMessage(parsed);
el.querySelector(".message-content").innerHTML = parsed;
}
@ -949,10 +957,13 @@
function finalizeStreaming() {
var el = document.getElementById(streamingMessageId);
if (el) {
var parsed =
typeof marked !== "undefined" && marked.parse
// Check if content has HTML tags
var hasHtmlTags = /<\/?[a-z][^>]*>|<!--|-->/i.test(currentStreamingContent);
var parsed = hasHtmlTags
? currentStreamingContent // Use HTML directly
: (typeof marked !== "undefined" && marked.parse
? marked.parse(currentStreamingContent)
: escapeHtml(currentStreamingContent);
: escapeHtml(currentStreamingContent));
parsed = renderMentionInMessage(parsed);
el.querySelector(".message-content").innerHTML = parsed;
el.removeAttribute("id");