Summary
Chat messages currently render markdown links without protocol sanitization, allowing javascript: URLs to become clickable in the UI.
Affected Area
frontend/src/components/Dashboard/ChatArea.js (marked(...) output passed to dangerouslySetInnerHTML)
Reproduction
- Send a message containing:
[go](javascript:window.location='https://example.com')
- View the message in chat.
- The rendered
go text is clickable and uses a javascript: URL.
Expected
Unsafe URL schemes should never be rendered as clickable links.
Actual
Unsafe schemes are rendered as anchor href values.
Impact
Potential client-side script execution / malicious redirects through user-generated message content.
Proposed Fix
- Add a custom
marked.Renderer for links.
- Allow only
http:, https:, mailto:, tel:.
- Render unsafe links as plain text.
- Strip raw HTML tokens from markdown output before injecting HTML.
Patch
See attached file
ChatArea.js
Summary
Chat messages currently render markdown links without protocol sanitization, allowing
javascript:URLs to become clickable in the UI.Affected Area
frontend/src/components/Dashboard/ChatArea.js(marked(...)output passed todangerouslySetInnerHTML)Reproduction
[go](javascript:window.location='https://example.com')gotext is clickable and uses ajavascript:URL.Expected
Unsafe URL schemes should never be rendered as clickable links.
Actual
Unsafe schemes are rendered as anchor
hrefvalues.Impact
Potential client-side script execution / malicious redirects through user-generated message content.
Proposed Fix
marked.Rendererfor links.http:,https:,mailto:,tel:.Patch
See attached file
ChatArea.js