From d9e66e957c4057ad271ebf7de91f9a9980c8df3f Mon Sep 17 00:00:00 2001
From: Rodrigo Rodriguez <rodriguez@pragmatismo.com.br>
Date: Fri, 1 May 2026 08:38:41 -0300
Subject: [PATCH] Fix: Escapar HTML para exibir como texto
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove lógica hasHtmlTags que injetava HTML cru
- Sempre usa escapeHtml para exibir conteúdo como texto
- Corrige problema de tags HTML aparecendo na página
---
 botui/ui/suite/chat/chat-messages.js | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/botui/ui/suite/chat/chat-messages.js b/botui/ui/suite/chat/chat-messages.js
index fabee638..be0349f6 100644
--- a/botui/ui/suite/chat/chat-messages.js
+++ b/botui/ui/suite/chat/chat-messages.js
@@ -57,20 +57,18 @@ if (msgId) div.id = msgId;
 if (sender === "user") {
 var processedContent = renderMentionInMessage(escapeHtml(content));
 div.innerHTML = '<div class="message-content user-message">' + processedContent + "</div>";
-} else {
-var cleanContent = stripMarkdownBlocks(content);
+  } else {
+    var cleanContent = stripMarkdownBlocks(content);
+    var hasHtmlTags = /<\/?[a-zA-Z][^>]*>|<!--|-->/i.test(cleanContent);
+    var parsed;
     if (msgId) {
-        parsed = '<div class="streaming-loading"><span class="loading-dots">...</span></div>';
-    } else if (hasHtmlTags) {
-        parsed = cleanContent; // Don't escape HTML tags
+      parsed = '<div class="streaming-loading"><span class="loading-dots">...</span></div>';
     } else {
-        parsed = typeof marked !== "undefined" && marked.parse
-            ? marked.parse(cleanContent)
-            : escapeHtml(cleanContent);
+      parsed = escapeHtml(cleanContent);
     }
     parsed = renderMentionInMessage(parsed);
     div.innerHTML = '<div class="message-content bot-message">' + parsed + "</div>";
-}
+  }
 
   messages.appendChild(div);