From 640414d5df71870be5362fc53bef0d67d25d4121 Mon Sep 17 00:00:00 2001 From: "gaoding.devingao" Date: Mon, 16 Jun 2025 10:57:32 +0800 Subject: [PATCH 1/4] =?UTF-8?q?feat:=20=E8=A7=A3=E5=86=B3html=E7=9A=84xss?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../feat-mdstream-safe_2025-06-16-02-57.json | 11 +++ .../config/subspaces/default/pnpm-lock.yaml | 18 +++++ packages/chat-sdk/package.json | 1 + .../md-stream/render/phrase/html/index.tsx | 3 +- .../md-stream/render/phrase/link/index.tsx | 2 +- packages/chat-sdk/src/pages/markdown/const.ts | 80 ++++++++++++++++++- 6 files changed, 112 insertions(+), 3 deletions(-) create mode 100644 common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-02-57.json diff --git a/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-02-57.json b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-02-57.json new file mode 100644 index 00000000..e49807d0 --- /dev/null +++ b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-02-57.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "packageName": "@coze/chat-sdk", + "comment": "解决html的xss问题", + "type": "minor" + } + ], + "packageName": "@coze/chat-sdk", + "email": "gaoding.devingao@bytedance.com" +} diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index ab4b741b..f77560b1 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -1897,6 +1897,9 @@ importers: micromark-extension-misc-radio-list-item: specifier: ^2.1.0 version: 2.1.0 + xss: + specifier: ^1.0.15 + version: 1.0.15 zustand: specifier: ^4.4.7 version: 4.5.6(@types/react@18.3.12)(immer@9.0.21)(react@18.3.1) @@ -9038,6 +9041,9 @@ packages: engines: {node: '>=4'} hasBin: true + cssfilter@0.0.10: + resolution: {integrity: sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==} + cssnano-preset-default@5.2.14: resolution: {integrity: sha512-t0SFesj/ZV2OTylqQVOrFgEh5uanxbO6ZAdeCrNsUQ6fVuXwYTxJPNAGvGTxHbD68ldIJNec7PyYZDBrfDQ+6A==} engines: {node: ^10 || ^12 || >=14.0} @@ -16645,6 +16651,11 @@ packages: xregexp@3.1.0: resolution: {integrity: sha512-4Y1x6DyB8xRoxosooa6PlGWqmmSKatbzhrftZ7Purmm4B8R4qIEJG1A2hZsdz5DhmIqS0msC0I7KEq93GphEVg==} + xss@1.0.15: + resolution: {integrity: sha512-FVdlVVC67WOIPvfOwhoMETV72f6GbW7aOabBC3WxN/oUdoEMDyLz4OgRv5/gck2ZeNqEQu+Tb0kloovXOfpYVg==} + engines: {node: '>= 0.10.0'} + hasBin: true + xtend@4.0.2: resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==} engines: {node: '>=0.4'} @@ -26015,6 +26026,8 @@ snapshots: cssesc@3.0.0: {} + cssfilter@0.0.10: {} + cssnano-preset-default@5.2.14(postcss@8.4.49): dependencies: css-declaration-sorter: 6.4.1(postcss@8.4.49) @@ -35634,6 +35647,11 @@ snapshots: xregexp@3.1.0: {} + xss@1.0.15: + dependencies: + commander: 2.20.3 + cssfilter: 0.0.10 + xtend@4.0.2: {} xxhashjs@0.2.2: diff --git a/packages/chat-sdk/package.json b/packages/chat-sdk/package.json index 31b696c0..a0cb3b59 100644 --- a/packages/chat-sdk/package.json +++ b/packages/chat-sdk/package.json @@ -84,6 +84,7 @@ "micromark-extension-gfm-table": "^2.1.0", "micromark-extension-gfm-task-list-item": "^2.1.0", "micromark-extension-misc-radio-list-item": "^2.1.0", + "xss": "^1.0.15", "zustand": "^4.4.7" }, "devDependencies": { diff --git a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx index e3358516..fb1404c6 100644 --- a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx +++ b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx @@ -1,5 +1,6 @@ import { FC, memo } from 'react'; +import xss from 'xss'; import type { Html as HtmlMdType, Text as TextMdType } from 'mdast'; import { RichText } from '@tarojs/components'; @@ -13,7 +14,7 @@ export const Html: FC<{ return ( <> {enableHtmlTags ? ( - + ) : ( )} diff --git a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx index 8677ca6c..a02f10d5 100644 --- a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx +++ b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx @@ -19,7 +19,7 @@ export const Link: FC<{ const { eventCallbacks } = useMdStreamContext(); const isValidUrl = useMemo(() => { let isValid = node.url && node.url !== '#'; - if (node.url.startsWith('javascript:')) { + if (/^javascript/i.test(node.url.replace(/\s/, ''))) { isValid = false; } return isValid; diff --git a/packages/chat-sdk/src/pages/markdown/const.ts b/packages/chat-sdk/src/pages/markdown/const.ts index 9a634f9b..e950ac4c 100644 --- a/packages/chat-sdk/src/pages/markdown/const.ts +++ b/packages/chat-sdk/src/pages/markdown/const.ts @@ -1,4 +1,82 @@ export const markdown = ` +test +test +test +test +test +test +test +test +test +test +test +test +test +test + +test + +"-prompt(8)-" +'-prompt(8)-' +";a=prompt,a()// +';a=prompt,a()// +'-eval("window['pro'%2B'mpt'](8)")-' +"-eval("window['pro'%2B'mpt'](8)")-" +"onclick=prompt(8)>"@x.y +"onclick=prompt(8)>"@x.y + + + + + + +t> +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +'"><\x3Cscript>javascript:alert(1) +'"><\x00script>javascript:alert(1) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

sadfadf

+ # Code as \`\`\`javascript @@ -8,7 +86,7 @@ $(document).ready(function () { \`\`\` https://www.coze.com test@coze.com -[coze](javascripdt://www.baidu.com) +[coze](javascript:javascript:alert(1)) ![Alt Text](https://pic1.zhimg.com/v2-b444070848d54baf536222b22a51fba4_b.jpg) ![Alt Text](https://s.coze.cn/t/cmdAkWul_g4/) From d03310f73b909139fa2570753adedf16162f74b4 Mon Sep 17 00:00:00 2001 From: "gaoding.devingao" Date: Mon, 16 Jun 2025 10:58:21 +0800 Subject: [PATCH 2/4] chore: Publish feat/mdstream-safe --- packages/chat-sdk/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/chat-sdk/package.json b/packages/chat-sdk/package.json index a0cb3b59..78994e38 100644 --- a/packages/chat-sdk/package.json +++ b/packages/chat-sdk/package.json @@ -1,6 +1,6 @@ { "name": "@coze/chat-sdk", - "version": "0.1.11-beta.17", + "version": "0.1.11-beta.18", "description": "Coze chat components for taro", "license": "MIT", "author": "gaoding.devingao@bytedance.com", @@ -163,4 +163,4 @@ "css": "Less", "framework": "React" } -} +} \ No newline at end of file From c88ff827129b99975baee58c3cc6a6de014d548a Mon Sep 17 00:00:00 2001 From: "gaoding.devingao" Date: Mon, 16 Jun 2025 12:00:13 +0800 Subject: [PATCH 3/4] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9g?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json | 11 +++++++++++ .../atomic/md-stream/render/phrase/link/index.tsx | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json diff --git a/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json new file mode 100644 index 00000000..ecc02bf0 --- /dev/null +++ b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-06-16-04-00.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "packageName": "@coze/chat-sdk", + "comment": "修改g", + "type": "minor" + } + ], + "packageName": "@coze/chat-sdk", + "email": "gaoding.devingao@bytedance.com" +} diff --git a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx index a02f10d5..6fffd406 100644 --- a/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx +++ b/packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/link/index.tsx @@ -19,7 +19,7 @@ export const Link: FC<{ const { eventCallbacks } = useMdStreamContext(); const isValidUrl = useMemo(() => { let isValid = node.url && node.url !== '#'; - if (/^javascript/i.test(node.url.replace(/\s/, ''))) { + if (/^javascript/i.test(node.url.replace(/\s/g, ''))) { isValid = false; } return isValid; From 0dc6513001c8cefd4c8852b3c17aaa6fab2c2715 Mon Sep 17 00:00:00 2001 From: "gaoding.devingao" Date: Tue, 1 Jul 2025 20:49:02 +0800 Subject: [PATCH 4/4] feat: change file url --- .../chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json | 11 +++++++++++ .../helper/message/send-message/multi-send-message.ts | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json diff --git a/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json new file mode 100644 index 00000000..f3ac2273 --- /dev/null +++ b/common/changes/@coze/chat-sdk/feat-mdstream-safe_2025-07-01-12-49.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "packageName": "@coze/chat-sdk", + "comment": "change file url", + "type": "minor" + } + ], + "packageName": "@coze/chat-sdk", + "email": "gaoding.devingao@bytedance.com" +} diff --git a/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts b/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts index 76d3feba..f4b0fc8a 100644 --- a/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts +++ b/packages/chat-sdk/src/libs/services/helper/message/send-message/multi-send-message.ts @@ -61,7 +61,8 @@ export class MultiSendMessage extends RawSendMessage { message.content = JSON.stringify( fileList.map(item => ({ type: item.type, - file_id: item.file_id, + file_id: item.file_id || undefined, + file_url: item.file_url || undefined, })), ); this.sendMessage(message, historyMessages); @@ -134,6 +135,8 @@ export class MultiSendMessage extends RawSendMessage { file: item.file, }); packResult.file_id = res.id; + // @ts-expect-error -- linter-disable-autofix + packResult.file_url = res.url; fileList.push(packResult); } }),