From 389fd097656c79d71d73bfa206228cb19484cd3f Mon Sep 17 00:00:00 2001 From: Jiaqing Liang Date: Tue, 10 Mar 2026 13:55:40 +0800 Subject: [PATCH] fix: disable unsafe_allow_html to prevent XSS in chat rendering --- stapp.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/stapp.py b/stapp.py index a86dc5a..99c79e0 100644 --- a/stapp.py +++ b/stapp.py @@ -84,15 +84,14 @@ for msg in st.session_state.messages: if prompt := st.chat_input("请输入指令"): st.session_state.messages.append({"role": "user", "content": prompt}) - #允许消息内容中包含 HTML 代码并直接渲染,但注意这会有 XSS 安全风险,仅在内容可信时使用 - with st.chat_message("user"): st.markdown(prompt, unsafe_allow_html=True) + with st.chat_message("user"): st.markdown(prompt, unsafe_allow_html=False) # 小心 XSS with st.chat_message("assistant"): message_placeholder = st.empty() response = '' for response in agent_backend_stream(prompt): - message_placeholder.markdown(response + "▌", unsafe_allow_html=True) - message_placeholder.markdown(response, unsafe_allow_html=True) + message_placeholder.markdown(response + "▌", unsafe_allow_html=False) + message_placeholder.markdown(response, unsafe_allow_html=False) st.session_state.messages.append({"role": "assistant", "content": response}) st.session_state.last_reply_time = int(time.time())