🐛 fix: sanitize search grounding image titles to prevent XSS#13303
Merged
Conversation
Replace dangerouslySetInnerHTML with stripHtml() for image result titles in SearchGrounding and ImageSearchRef components to prevent stored XSS attacks via malicious search result data. Ref: GHSA-m5qx-g8hx-5f2p Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9e2487fb9b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| {image.title && ( | ||
| <div className={styles.imageTitle} dangerouslySetInnerHTML={{ __html: image.title }} /> | ||
| )} | ||
| {image.title && <div className={styles.imageTitle}>{stripHtml(image.title)}</div>} |
There was a problem hiding this comment.
Decode HTML entities before rendering image ref titles
Rendering stripHtml(image.title) here strips tags but does not decode entities in this file’s helper, so titles like AT&T now display literally as AT&T in the popover. Before this change, dangerouslySetInnerHTML decoded entities automatically, so this is a user-visible regression for image titles returned with HTML-encoded characters from grounding providers.
Useful? React with 👍 / 👎.
Member
|
@canisminor1990 @ONLY-yours - This PR fixes XSS in search grounding image titles (markdown rendering + search grounding components). Please take a look. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## canary #13303 +/- ##
==========================================
- Coverage 66.71% 66.71% -0.01%
==========================================
Files 1884 1884
Lines 150871 150870 -1
Branches 15184 15184
==========================================
- Hits 100660 100659 -1
Misses 50100 50100
Partials 111 111
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
…ution risk The old plugin render system (ui.mode === 'module') that used SystemJS to dynamically load and execute JS from untrusted URLs has been fully retired. Remove SystemJsRender and systemjs dependency entirely. Ref: GHSA-46v7-wvmj-6vf7 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… JS execution risk" This reverts commit 99a7603.
Member
|
❤️ Great PR @arvinxx ❤️ The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our discord and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world. |
Merged
ONLY-yours
added a commit
that referenced
this pull request
Mar 27, 2026
# 🚀 release: 20260326 This release includes **91 commits**. Key updates are below. - **Agent can now execute background tasks** — Agents can perform long-running operations without blocking your conversation. [#13289](#13289) - **Better error messages** — Redesigned error UI across chat and image generation with clearer explanations and recovery options. [#13302](#13302) - **Smoother topic switching** — No more full page reloads when switching topics while an agent is responding. [#13309](#13309) - **Faster image uploads** — Large images are now automatically compressed to 1920px before upload, reducing wait times. [#13224](#13224) - **Improved knowledge base** — Documents are now properly parsed before chunking, improving retrieval accuracy. [#13221](#13221) ### Bot Platform - **WeChat Bot support** — You can now connect LobeChat to WeChat, in addition to Discord. [#13191](#13191) - **Richer bot responses** — Bots now support custom markdown rendering and context injection. [#13294](#13294) - **New bot commands** — Added `/new` to start fresh conversations and `/stop` to halt generation. [#13194](#13194) - **Discord stability fixes** — Fixed thread creation issues and Redis connection drops. [#13228](#13228) [#13205](#13205) ### Models & Providers - **GLM-5** is now available in the LobeHub model list. [#13189](#13189) - **Coding Plan providers** — Added support for code planning assistant providers. [#13203](#13203) - **Tencent Hunyuan 3.0 ImageGen** — New image generation model from Tencent. [#13166](#13166) - **Gemini content handling** — Better handling when Gemini blocks content due to safety filters. [#13270](#13270) - **Claude token limits fixed** — Corrected max window tokens for Anthropic Claude models. [#13206](#13206) ### Skills & Tools - **Auto credential injection** — Skills can now automatically request and use required credentials. [#13124](#13124) - **Smarter tool permissions** — Built-in tools skip confirmation for safe paths like `/tmp`. [#13232](#13232) - **Model switcher improvements** — Quick access to provider settings and visual highlight for default model. [#13220](#13220) ### Memory - **Bulk delete memories** — You can now delete all memory entries at once. [#13161](#13161) - **Per-agent memory control** — Memory injection now respects individual agent settings. [#13265](#13265) ### Desktop App - **Gateway connection** — Desktop app can now connect to LobeHub Gateway for enhanced features. [#13234](#13234) - **Connection status indicator** — See gateway connection status in the titlebar. [#13260](#13260) - **Settings persistence** — Gateway toggle state now persists across app restarts. [#13300](#13300) ### CLI - **API key authentication** — CLI now supports API key auth for programmatic access. [#13190](#13190) - **Shell completion** — Tab completion for bash/zsh/fish shells. [#13164](#13164) - **Man pages** — Built-in manual pages for CLI commands. [#13200](#13200) ### Security - **XSS protection** — Sanitized search result image titles to prevent script injection. [#13303](#13303) - **Workflow hardening** — Fixed potential shell injection in release automation. [#13319](#13319) - **Dependency update** — Updated nodemailer to address security advisory. [#13326](#13326) ### Bug Fixes - Fixed skill page not redirecting correctly after import. [#13255](#13255) [#13261](#13261) - Fixed token counting in group chats. [#13247](#13247) - Fixed editor not resetting when switching to empty pages. [#13229](#13229) - Fixed manual tool toggle not working. [#13218](#13218) - Fixed Search1API response parsing. [#13207](#13207) [#13208](#13208) - Fixed mobile topic menus rendering issues. [#12477](#12477) - Fixed history count calculation for accurate context. [#13051](#13051) - Added missing Turkish translations. [#13196](#13196) ### Credits Huge thanks to these contributors: @bakiburakogun @hardy-one @Zhouguanyang @sxjeru @hezhijie0327 @arvinxx @cy948 @CanisMinor @Innei @lijian @lobehubbot @neko @rdmclin2 @rivertwilight @tjx666
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dangerouslySetInnerHTML={{ __html: title }}withstripHtml()text rendering inSearchGroundingandImageSearchRef/RendercomponentsDetails
Google search grounding API returns
imageResults[].titlethat may contain HTML (e.g.<b>tags for keyword highlighting). The existing code rendered these titles viadangerouslySetInnerHTMLwithout sanitization, allowing arbitrary script injection.Both files already had a
stripHtmlfunction used foralt/titleattributes but not for the rendered content. This PR appliesstripHtml()consistently.Security advisory: GHSA-m5qx-g8hx-5f2p
Test plan
<img src=x onerror="alert(1)">🤖 Generated with Claude Code