diff --git a/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-02-57.json b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-02-57.json new file mode 100644 index 00000000..e49807d0 --- /dev/null +++ b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-02-57.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "packageName": "@coze/chat-sdk", + "comment": "解决html的xss问题", + "type": "minor" + } + ], + "packageName": "@coze/chat-sdk", + "email": "gaoding.devingao@bytedance.com" +} diff --git a/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json new file mode 100644 index 00000000..ecc02bf0 --- /dev/null +++ b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "packageName": "@coze/chat-sdk", + "comment": "修改g", + "type": "minor" + } + ], + "packageName": "@coze/chat-sdk", + "email": "gaoding.devingao@bytedance.com" +} diff --git a/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json new file mode 100644 index 00000000..f3ac2273 --- /dev/null +++ b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "packageName": "@coze/chat-sdk", + "comment": "change file url", + "type": "minor" + } + ], + "packageName": "@coze/chat-sdk", + "email": "gaoding.devingao@bytedance.com" +} diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index ab4b741b..f77560b1 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -1897,6 +1897,9 @@ importers: micromark-extension-misc-radio-list-item: specifier: ^2.1.0 version: 2.1.0 + xss: + specifier: ^1.0.15 + version: 1.0.15 zustand: specifier: ^4.4.7 version: 4.5.6(@types/react@18.3.12)(immer@9.0.21)(react@18.3.1) @@ -9038,6 +9041,9 @@ packages: engines: {node: '>=4'} hasBin: true + cssfilter@0.0.10: + resolution: {integrity: sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==} + cssnano-preset-default@5.2.14: resolution: {integrity: sha512-t0SFesj/ZV2OTylqQVOrFgEh5uanxbO6ZAdeCrNsUQ6fVuXwYTxJPNAGvGTxHbD68ldIJNec7PyYZDBrfDQ+6A==} engines: {node: ^10 || ^12 || >=14.0} @@ -16645,6 +16651,11 @@ packages: xregexp@3.1.0: resolution: {integrity: sha512-4Y1x6DyB8xRoxosooa6PlGWqmmSKatbzhrftZ7Purmm4B8R4qIEJG1A2hZsdz5DhmIqS0msC0I7KEq93GphEVg==} + xss@1.0.15: + resolution: {integrity: sha512-FVdlVVC67WOIPvfOwhoMETV72f6GbW7aOabBC3WxN/oUdoEMDyLz4OgRv5/gck2ZeNqEQu+Tb0kloovXOfpYVg==} + engines: {node: '>= 0.10.0'} + hasBin: true + xtend@4.0.2: resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==} engines: {node: '>=0.4'} @@ -26015,6 +26026,8 @@ snapshots: cssesc@3.0.0: {} + cssfilter@0.0.10: {} + cssnano-preset-default@5.2.14(postcss@8.4.49): dependencies: css-declaration-sorter: 6.4.1(postcss@8.4.49) @@ -35634,6 +35647,11 @@ snapshots: xregexp@3.1.0: {} + xss@1.0.15: + dependencies: + commander: 2.20.3 + cssfilter: 0.0.10 + xtend@4.0.2: {} xxhashjs@0.2.2: diff --git a/packages/chat-sdk/package.json b/packages/chat-sdk/package.json index 31b696c0..78994e38 100644 --- a/packages/chat-sdk/package.json +++ b/packages/chat-sdk/package.json @@ -1,6 +1,6 @@ { "name": "@coze/chat-sdk", - "version": "0.1.11-beta.17", + "version": "0.1.11-beta.18", "description": "Coze chat components for taro", "license": "MIT", "author": "gaoding.devingao@bytedance.com", @@ -84,6 +84,7 @@ "micromark-extension-gfm-table": "^2.1.0", "micromark-extension-gfm-task-list-item": "^2.1.0", "micromark-extension-misc-radio-list-item": "^2.1.0", + "xss": "^1.0.15", "zustand": "^4.4.7" }, "devDependencies": { @@ -162,4 +163,4 @@ "css": "Less", "framework": "React" } -} +} \ No newline at end of file diff --git a/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts b/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts index 76d3feba..f4b0fc8a 100644 --- a/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts +++ b/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts @@ -61,7 +61,8 @@ export class MultiSendMessage extends RawSendMessage { message.content = JSON.stringify( fileList.map(item => ({ type: item.type, - file_id: item.file_id, + file_id: item.file_id || undefined, + file_url: item.file_url || undefined, })), ); this.sendMessage(message, historyMessages); @@ -134,6 +135,8 @@ export class MultiSendMessage extends RawSendMessage { file: item.file, }); packResult.file_id = res.id; + // @ts-expect-error -- linter-disable-autofix + packResult.file_url = res.url; fileList.push(packResult); } }), diff --git a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx index e3358516..fb1404c6 100644 --- a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx +++ b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx @@ -1,5 +1,6 @@ import { FC, memo } from 'react'; +import xss from 'xss'; import type { Html as HtmlMdType, Text as TextMdType } from 'mdast'; import { RichText } from '@tarojs/components'; @@ -13,7 +14,7 @@ export const Html: FC<{ return ( <> {enableHtmlTags ? ( - + ) : ( )} diff --git a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx index 8677ca6c..6fffd406 100644 --- a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx +++ b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx @@ -19,7 +19,7 @@ export const Link: FC<{ const { eventCallbacks } = useMdStreamContext(); const isValidUrl = useMemo(() => { let isValid = node.url && node.url !== '#'; - if (node.url.startsWith('javascript:')) { + if (/^javascript/i.test(node.url.replace(/\s/g, ''))) { isValid = false; } return isValid; diff --git a/packages/chat-sdk/src/pages/markdown/const.ts b/packages/chat-sdk/src/pages/markdown/const.ts index 9a634f9b..e950ac4c 100644 --- a/packages/chat-sdk/src/pages/markdown/const.ts +++ b/packages/chat-sdk/src/pages/markdown/const.ts @@ -1,4 +1,82 @@ export const markdown = ` +test +test +test +test +test +test +test +test +test +test +test +test +test +test + +test + +"-prompt(8)-" +'-prompt(8)-' +";a=prompt,a()// +';a=prompt,a()// +'-eval("window['pro'%2B'mpt'](8)")-' +"-eval("window['pro'%2B'mpt'](8)")-" +"onclick=prompt(8)>"@x.y +"onclick=prompt(8)>"@x.y + + + + + + +t> +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +'"><\x3Cscript>javascript:alert(1) +'"><\x00script>javascript:alert(1) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

sadfadf

+ # Code as \`\`\`javascript @@ -8,7 +86,7 @@ $(document).ready(function () { \`\`\` https://www.coze.com test@coze.com -[coze](javascripdt://www.baidu.com) +[coze](javascript:javascript:alert(1)) ![Alt Text](https://pic1.zhimg.com/v2-b444070848d54baf536222b22a51fba4_b.jpg) ![Alt Text](https://s.coze.cn/t/cmdAkWul_g4/)