Web UI renders raw <<<EXTERNAL_UNTRUSTED_CONTENT>>> markup in chat

[dburkes]

Bug

The web UI (Control UI chat interface) renders the raw security wrapper markup that OpenClaw injects around untrusted content, rather than stripping/hiding it.

Steps to Reproduce

1. Open the Control UI web dashboard
2. Navigate to a Discord channel that has a channel topic set
3. Start a chat session
4. Observe the raw markup visible in the chat interface

Expected Behavior

The <<<EXTERNAL_UNTRUSTED_CONTENT id="...">>> / <<<END_EXTERNAL_UNTRUSTED_CONTENT>>> tags should be stripped before rendering in the UI. They are an internal security mechanism and should never be user-visible.

Actual Behavior

The full markup block is rendered as bold text in the chat, e.g.:

<<<EXTERNAL_UNTRUSTED_CONTENT id="1909cdd23df75dd2">>>
Source: Channel metadata

UNTRUSTED channel metadata (discord)
Discord channel topic: ...
<<<END_EXTERNAL_UNTRUSTED_CONTENT id="1909cdd23df75dd2">>>

Additional Context

• Occurs consistently, every time
• Version: 2026.2.21-2
• Channel: Discord
• The content itself is harmless - it is the channel topic injected as context

[nikolasdehor]

Beyond the UX issue, this has a security angle worth flagging.

The <<<EXTERNAL_UNTRUSTED_CONTENT>>> tags are a trust boundary mechanism — they tell the model which content is externally sourced and should not be treated as instructions. If these tags are rendered as visible plaintext in the UI, two things are true:

1. The sanitization layer is incomplete. If the rendering path doesn't strip these tags, it's reasonable to ask what else it doesn't strip. Any path that passes through raw markup without sanitization is a potential XSS injection point, especially if the content between the tags comes from user-controlled sources (Discord channel topics, WhatsApp messages, etc.).

2. The tags themselves become an attack surface. If a malicious external user crafts a message containing <<<END_EXTERNAL_UNTRUSTED_CONTENT>>> followed by instructions, and those tags are passed through without escaping, it could close the untrusted boundary early and inject content that the model treats as trusted/system-level. This is a prompt injection vector — the attacker can "escape" the untrusted sandbox by spoofing the closing tag.

The fix should strip these tags at the UI rendering layer, but the more important fix is ensuring the tag format is not predictable/spoofable at the injection layer. If the id in the tag is a random nonce generated per-message and validated on parse, spoofing becomes much harder. If it's deterministic or omitted, any external contact can craft a boundary escape.

Worth treating this as a security issue rather than just a cosmetic bug.

[vignesh07]

Implemented in a10ec2607.

Root cause: non-streaming final chat.send / chat.inject payloads were only stripping inline directive tags, but did not apply the same envelope/untrusted-context sanitization used by chat.history. That allowed <<<EXTERNAL_UNTRUSTED_CONTENT ...>>> wrapper markup to leak into Control UI renders.

Fix:

• apply stripEnvelopeFromMessage(...) before final payload broadcast in both chat.send and chat.inject
• keep inline directive stripping as a second pass

Regression coverage:

• added tests ensuring external untrusted wrapper metadata is removed from final payload text for both chat.inject and non-streaming chat.send

Thanks for reporting this, @mittelaltergouda.