ys/GenericAgent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: disable unsafe_allow_html to prevent XSS in chat rendering

Browse Source
This commit is contained in:
Jiaqing Liang
2026-03-10 13:55:40 +08:00
parent 2b387f2dcf
commit 389fd09765
1 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
stapp.py
View File

@@ -84,15 +84,14 @@ for msg in st.session_state.messages:
if prompt := st.chat_input("请输入指令"): if prompt := st.chat_input("请输入指令"):
st.session_state.messages.append({"role": "user", "content": prompt}) st.session_state.messages.append({"role": "user", "content": prompt})
#允许消息内容中包含 HTML 代码并直接渲染,但注意这会有 XSS 安全风险,仅在内容可信时使用 with st.chat_message("user"): st.markdown(prompt, unsafe_allow_html=False) # 小心 XSS
with st.chat_message("user"): st.markdown(prompt, unsafe_allow_html=True)
with st.chat_message("assistant"): with st.chat_message("assistant"):
message_placeholder = st.empty() message_placeholder = st.empty()
response = '' response = ''
for response in agent_backend_stream(prompt): for response in agent_backend_stream(prompt):
message_placeholder.markdown(response + "", unsafe_allow_html=True) message_placeholder.markdown(response + "", unsafe_allow_html=False)
message_placeholder.markdown(response, unsafe_allow_html=True) message_placeholder.markdown(response, unsafe_allow_html=False)
st.session_state.messages.append({"role": "assistant", "content": response}) st.session_state.messages.append({"role": "assistant", "content": response})
st.session_state.last_reply_time = int(time.time()) st.session_state.last_reply_time = int(time.time())