Web UI 改为转义原始 HTML，降低聊天渲染注入风险

修复将聊天中的原始 HTML 当作可渲染内容的问题，适用于‘富文本消息导致 UI 异常或潜在注入’的安全加固场景。

GITHUBDiscovered 2026-02-12Author 0xRaini

Prerequisites

You operate web-ui and allow users or integrations to send rich text snippets.
A staging environment exists to test message rendering before production rollout.

Steps

Deploy a build that includes PR #13952 fix.
Prepare regression samples: plain text, markdown, and raw HTML payloads.
Open each sample in web-ui and confirm HTML tags are displayed as text, not executed/rendered.
Run a quick UX pass to ensure markdown readability remains acceptable after escaping change.
Document this behavior in your internal message-format guideline.

Commands

openclaw gateway status

npm run build

openclaw help

Verify

Raw `<script>` or `<img onerror>` snippets are shown literally in chat and no script execution side effects occur.

Caveats

If your workflow requires trusted HTML preview, implement explicit allowlist rendering in a separate isolated view（需验证）.
Do not re-enable unsafe HTML rendering in chat history components.

Source attribution

This tip is aggregated from community/public sources and preserved with attribution.