From a57978e739ca1dbcea01eb4a45be8e32616db3bb Mon Sep 17 00:00:00 2001
From: H-Chris233 <h-chris233@outlook.com>
Date: Mon, 4 May 2026 17:21:26 +0800
Subject: [PATCH 1/4] Harden QA markdown rendering to block WebView script
 injection

Issue #221 requires closing the QA markdown XSS surface without broad CSP or architecture changes. This switches assistant and streaming markdown to one shared safe renderer that escapes raw HTML and rejects non-http(s)/mailto/tel links.

Constraint: Keep markdown readability while preventing executable HTML in QA WebView

Rejected: Add DOMPurify dependency | avoid new dependency for minimal fix

Confidence: medium

Scope-risk: narrow

Directive: Keep streaming and final assistant rendering on the same sanitizer path

Tested: npm run build (openless-all/app)

Not-tested: Manual malicious payload interaction in packaged desktop app
---
 openless-all/app/src/lib/qaMarkdown.test.ts | 28 +++++++++++
 openless-all/app/src/lib/qaMarkdown.ts      | 51 +++++++++++++++++++++
 openless-all/app/src/pages/QaPanel.tsx      |  8 ++--
 3 files changed, 82 insertions(+), 5 deletions(-)
 create mode 100644 openless-all/app/src/lib/qaMarkdown.test.ts
 create mode 100644 openless-all/app/src/lib/qaMarkdown.ts

diff --git a/openless-all/app/src/lib/qaMarkdown.test.ts b/openless-all/app/src/lib/qaMarkdown.test.ts
new file mode 100644
index 00000000..45628623
--- /dev/null
+++ b/openless-all/app/src/lib/qaMarkdown.test.ts
@@ -0,0 +1,28 @@
+import { renderQaMarkdown } from './qaMarkdown';
+
+function assertIncludes(text: string, expected: string, name: string) {
+  if (!text.includes(expected)) {
+    throw new Error(`${name}: expected to include "${expected}", got "${text}"`);
+  }
+}
+
+function assertNotIncludes(text: string, expected: string, name: string) {
+  if (text.includes(expected)) {
+    throw new Error(`${name}: expected not to include "${expected}", got "${text}"`);
+  }
+}
+
+const htmlEscaped = renderQaMarkdown('<img src=x onerror=alert(1)><script>alert(1)</script>');
+assertIncludes(htmlEscaped, '&lt;img src=x onerror=alert(1)&gt;', 'raw html should be escaped');
+assertNotIncludes(htmlEscaped, '<script>', 'script tag should not be rendered');
+assertNotIncludes(htmlEscaped, 'onerror=', 'event attribute should stay inert');
+
+const badHref = renderQaMarkdown('[xss](javascript:alert(1))');
+assertNotIncludes(badHref, 'href="javascript:alert(1)"', 'javascript href should be dropped');
+
+const goodMarkdown = renderQaMarkdown('**bold**\n\n- a\n- b\n\n`code`\n\n[ok](https://example.com)');
+assertIncludes(goodMarkdown, '<strong>bold</strong>', 'bold markdown should render');
+assertIncludes(goodMarkdown, '<li>a</li>', 'list markdown should render');
+assertIncludes(goodMarkdown, '<code>code</code>', 'code markdown should render');
+assertIncludes(goodMarkdown, 'href="https://example.com"', 'safe link should render');
+
diff --git a/openless-all/app/src/lib/qaMarkdown.ts b/openless-all/app/src/lib/qaMarkdown.ts
new file mode 100644
index 00000000..a922ba0d
--- /dev/null
+++ b/openless-all/app/src/lib/qaMarkdown.ts
@@ -0,0 +1,51 @@
+import { marked } from 'marked';
+
+const SAFE_LINK_PROTOCOLS = new Set(['http:', 'https:', 'mailto:', 'tel:']);
+
+function escapeHtml(raw: string): string {
+  return raw
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
+function normalizeHref(href: string | null | undefined): string | null {
+  if (!href) return null;
+  const trimmed = href.trim();
+  if (!trimmed) return null;
+  if (trimmed.startsWith('#')) return trimmed;
+  try {
+    const url = new URL(trimmed, 'https://openless.local/');
+    if (!SAFE_LINK_PROTOCOLS.has(url.protocol)) return null;
+    return trimmed;
+  } catch {
+    return null;
+  }
+}
+
+const QA_MARKDOWN_RENDERER = new marked.Renderer();
+QA_MARKDOWN_RENDERER.link = (href: string | null, title: string | null, text: string) => {
+  const safeHref = normalizeHref(href);
+  if (!safeHref) return `<span>${text}</span>`;
+  const titleAttr = title ? ` title="${escapeHtml(title)}"` : '';
+  return `<a href="${escapeHtml(safeHref)}"${titleAttr} target="_blank" rel="noreferrer noopener">${text}</a>`;
+};
+QA_MARKDOWN_RENDERER.image = (href: string | null, title: string | null, text: string) => {
+  const safeHref = normalizeHref(href);
+  if (!safeHref) return '';
+  const titleAttr = title ? ` title="${escapeHtml(title)}"` : '';
+  const alt = escapeHtml(text || '');
+  return `<img src="${escapeHtml(safeHref)}" alt="${alt}"${titleAttr} loading="lazy" />`;
+};
+
+export function renderQaMarkdown(markdown: string): string {
+  // 禁用 markdown 中 raw HTML：统一转义后再走 marked，仅保留安全 markdown 子集。
+  const escaped = escapeHtml(markdown);
+  return marked.parse(escaped, {
+    async: false,
+    gfm: true,
+    renderer: QA_MARKDOWN_RENDERER,
+  }) as string;
+}
diff --git a/openless-all/app/src/pages/QaPanel.tsx b/openless-all/app/src/pages/QaPanel.tsx
index 5703ac82..61750a0b 100644
--- a/openless-all/app/src/pages/QaPanel.tsx
+++ b/openless-all/app/src/pages/QaPanel.tsx
@@ -12,15 +12,13 @@
 
 import { useEffect, useMemo, useRef, useState, type CSSProperties } from 'react';
 import { useTranslation } from 'react-i18next';
-import { marked } from 'marked';
 import { getSettings, isTauri, qaWindowDismiss, qaWindowPin } from '../lib/ipc';
 import type { QaChatMessage, QaStatePayload, UserPreferences } from '../lib/types';
 import { getHotkeyTriggerLabel } from '../lib/hotkey';
+import { renderQaMarkdown } from '../lib/qaMarkdown';
 
 const SELECTION_PREVIEW_MAX = 60;
 
-marked.setOptions({ gfm: true, breaks: true });
-
 type Status = 'idle' | 'recording' | 'thinking' | 'error';
 
 export function QaPanel() {
@@ -405,7 +403,7 @@ function MessageRow({ message }: { message: QaChatMessage }) {
   const html = useMemo(() => {
     if (message.role !== 'assistant') return '';
     try {
-      return marked.parse(message.content, { async: false }) as string;
+      return renderQaMarkdown(message.content);
     } catch (error) {
       console.error('[qa] failed to render markdown', error);
       return message.content;
@@ -445,7 +443,7 @@ function MessageRow({ message }: { message: QaChatMessage }) {
 function StreamingAssistantBubble({ markdown }: { markdown: string }) {
   const html = useMemo(() => {
     try {
-      return marked.parse(markdown, { async: false }) as string;
+      return renderQaMarkdown(markdown);
     } catch (error) {
       console.error('[qa] failed to render streaming markdown', error);
       return markdown;

From 7edd0cde9ea4947b9888472a13d5183bc6b7d183 Mon Sep 17 00:00:00 2001
From: H-Chris233 <h-chris233@outlook.com>
Date: Mon, 4 May 2026 17:33:52 +0800
Subject: [PATCH 2/4] Close reviewer-found QA markdown sanitizer gaps

Two parallel reviews flagged a high-risk fallback path and a link-encoding regression in the new QA sanitizer. This patch keeps the minimal #221 approach while ensuring failure fallback stays inert and safe links preserve query strings correctly.

Constraint: Preserve minimal change scope for issue #221

Rejected: Expand into CSP/capability hardening in same patch | out of issue scope and higher blast radius

Confidence: high

Scope-risk: narrow

Directive: Never return raw model output into dangerouslySetInnerHTML fallback paths

Tested: npm run build (openless-all/app)

Not-tested: Manual desktop exploit reproduction on Windows/macOS
---
 openless-all/app/src/lib/qaMarkdown.test.ts |  4 +++-
 openless-all/app/src/lib/qaMarkdown.ts      | 17 +++++++++++++++--
 openless-all/app/src/pages/QaPanel.tsx      |  6 +++---
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/openless-all/app/src/lib/qaMarkdown.test.ts b/openless-all/app/src/lib/qaMarkdown.test.ts
index 45628623..7207a533 100644
--- a/openless-all/app/src/lib/qaMarkdown.test.ts
+++ b/openless-all/app/src/lib/qaMarkdown.test.ts
@@ -15,7 +15,7 @@ function assertNotIncludes(text: string, expected: string, name: string) {
 const htmlEscaped = renderQaMarkdown('<img src=x onerror=alert(1)><script>alert(1)</script>');
 assertIncludes(htmlEscaped, '&lt;img src=x onerror=alert(1)&gt;', 'raw html should be escaped');
 assertNotIncludes(htmlEscaped, '<script>', 'script tag should not be rendered');
-assertNotIncludes(htmlEscaped, 'onerror=', 'event attribute should stay inert');
+assertNotIncludes(htmlEscaped, '<img src=x onerror=alert(1)>', 'raw html img should not become live dom tag');
 
 const badHref = renderQaMarkdown('[xss](javascript:alert(1))');
 assertNotIncludes(badHref, 'href="javascript:alert(1)"', 'javascript href should be dropped');
@@ -26,3 +26,5 @@ assertIncludes(goodMarkdown, '<li>a</li>', 'list markdown should render');
 assertIncludes(goodMarkdown, '<code>code</code>', 'code markdown should render');
 assertIncludes(goodMarkdown, 'href="https://example.com"', 'safe link should render');
 
+const safeQueryLink = renderQaMarkdown('[ok](https://example.com?a=1&b=2)');
+assertIncludes(safeQueryLink, 'href="https://example.com?a=1&amp;b=2"', 'safe query link should keep a single escaped ampersand');
diff --git a/openless-all/app/src/lib/qaMarkdown.ts b/openless-all/app/src/lib/qaMarkdown.ts
index a922ba0d..4fb9a86e 100644
--- a/openless-all/app/src/lib/qaMarkdown.ts
+++ b/openless-all/app/src/lib/qaMarkdown.ts
@@ -11,6 +11,15 @@ function escapeHtml(raw: string): string {
     .replace(/'/g, '&#39;');
 }
 
+function decodeHtmlEntities(raw: string): string {
+  return raw
+    .replace(/&amp;/g, '&')
+    .replace(/&quot;/g, '"')
+    .replace(/&#39;/g, "'")
+    .replace(/&lt;/g, '<')
+    .replace(/&gt;/g, '>');
+}
+
 function normalizeHref(href: string | null | undefined): string | null {
   if (!href) return null;
   const trimmed = href.trim();
@@ -27,19 +36,23 @@ function normalizeHref(href: string | null | undefined): string | null {
 
 const QA_MARKDOWN_RENDERER = new marked.Renderer();
 QA_MARKDOWN_RENDERER.link = (href: string | null, title: string | null, text: string) => {
-  const safeHref = normalizeHref(href);
+  const safeHref = normalizeHref(decodeHtmlEntities(href ?? ''));
   if (!safeHref) return `<span>${text}</span>`;
   const titleAttr = title ? ` title="${escapeHtml(title)}"` : '';
   return `<a href="${escapeHtml(safeHref)}"${titleAttr} target="_blank" rel="noreferrer noopener">${text}</a>`;
 };
 QA_MARKDOWN_RENDERER.image = (href: string | null, title: string | null, text: string) => {
-  const safeHref = normalizeHref(href);
+  const safeHref = normalizeHref(decodeHtmlEntities(href ?? ''));
   if (!safeHref) return '';
   const titleAttr = title ? ` title="${escapeHtml(title)}"` : '';
   const alt = escapeHtml(text || '');
   return `<img src="${escapeHtml(safeHref)}" alt="${alt}"${titleAttr} loading="lazy" />`;
 };
 
+export function renderQaPlainText(raw: string): string {
+  return `<pre>${escapeHtml(raw)}</pre>`;
+}
+
 export function renderQaMarkdown(markdown: string): string {
   // 禁用 markdown 中 raw HTML：统一转义后再走 marked，仅保留安全 markdown 子集。
   const escaped = escapeHtml(markdown);
diff --git a/openless-all/app/src/pages/QaPanel.tsx b/openless-all/app/src/pages/QaPanel.tsx
index 61750a0b..959b6e87 100644
--- a/openless-all/app/src/pages/QaPanel.tsx
+++ b/openless-all/app/src/pages/QaPanel.tsx
@@ -15,7 +15,7 @@ import { useTranslation } from 'react-i18next';
 import { getSettings, isTauri, qaWindowDismiss, qaWindowPin } from '../lib/ipc';
 import type { QaChatMessage, QaStatePayload, UserPreferences } from '../lib/types';
 import { getHotkeyTriggerLabel } from '../lib/hotkey';
-import { renderQaMarkdown } from '../lib/qaMarkdown';
+import { renderQaMarkdown, renderQaPlainText } from '../lib/qaMarkdown';
 
 const SELECTION_PREVIEW_MAX = 60;
 
@@ -406,7 +406,7 @@ function MessageRow({ message }: { message: QaChatMessage }) {
       return renderQaMarkdown(message.content);
     } catch (error) {
       console.error('[qa] failed to render markdown', error);
-      return message.content;
+      return renderQaPlainText(String(message.content ?? ''));
     }
   }, [message.content, message.role]);
 
@@ -446,7 +446,7 @@ function StreamingAssistantBubble({ markdown }: { markdown: string }) {
       return renderQaMarkdown(markdown);
     } catch (error) {
       console.error('[qa] failed to render streaming markdown', error);
-      return markdown;
+      return renderQaPlainText(String(markdown ?? ''));
     }
   }, [markdown]);
   return (

From d397f92cd7f4fddcc17e9d67c1bc922bfc9a2d72 Mon Sep 17 00:00:00 2001
From: H-Chris233 <h-chris233@outlook.com>
Date: Mon, 4 May 2026 17:47:59 +0800
Subject: [PATCH 3/4] Restore QA single-newline rendering behavior

Code review flagged a UX regression after sanitizer refactor: assistant single newlines stopped rendering as hard breaks. Re-enable marked breaks mode in the shared QA renderer to preserve previous panel readability for streamed and lightly formatted answers.

Constraint: Keep sanitizer fix while matching prior QA markdown display behavior

Rejected: Add newline post-processing in QaPanel | duplicates renderer concern and increases drift risk

Confidence: high

Scope-risk: narrow

Directive: QA markdown display flags must be centralized in qaMarkdown.ts to keep streaming/final parity

Tested: npm run build (openless-all/app)

Not-tested: Manual visual QA panel check on desktop runtime
---
 openless-all/app/src/lib/qaMarkdown.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/openless-all/app/src/lib/qaMarkdown.ts b/openless-all/app/src/lib/qaMarkdown.ts
index 4fb9a86e..a29a2f13 100644
--- a/openless-all/app/src/lib/qaMarkdown.ts
+++ b/openless-all/app/src/lib/qaMarkdown.ts
@@ -59,6 +59,7 @@ export function renderQaMarkdown(markdown: string): string {
   return marked.parse(escaped, {
     async: false,
     gfm: true,
+    breaks: true,
     renderer: QA_MARKDOWN_RENDERER,
   }) as string;
 }

From 806fa26693bcf523309836627346378ceb9e9a8b Mon Sep 17 00:00:00 2001
From: H-Chris233 <h-chris233@outlook.com>
Date: Mon, 4 May 2026 18:06:51 +0800
Subject: [PATCH 4/4] Keep QA code snippets readable while preserving markdown
 XSS guard

Review feedback found that pre-escaping the entire markdown payload caused double-encoding in inline/fenced code, making HTML/JSON/XML examples unreadable. Switch to raw markdown parsing with renderer-level HTML token escaping so code formatting stays readable while raw HTML remains inert.

Constraint: Maintain issue #221 security boundary without broad sanitizer rewrite

Rejected: Keep full-string pre-escape | breaks code snippet readability

Confidence: high

Scope-risk: narrow

Directive: Escape only raw HTML tokens, not the whole markdown source

Tested: npm run build (openless-all/app)

Not-tested: Manual QA panel rendering across all markdown edge cases
---
 openless-all/app/src/lib/qaMarkdown.test.ts | 4 ++++
 openless-all/app/src/lib/qaMarkdown.ts      | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/openless-all/app/src/lib/qaMarkdown.test.ts b/openless-all/app/src/lib/qaMarkdown.test.ts
index 7207a533..77638c09 100644
--- a/openless-all/app/src/lib/qaMarkdown.test.ts
+++ b/openless-all/app/src/lib/qaMarkdown.test.ts
@@ -28,3 +28,7 @@ assertIncludes(goodMarkdown, 'href="https://example.com"', 'safe link should ren
 
 const safeQueryLink = renderQaMarkdown('[ok](https://example.com?a=1&b=2)');
 assertIncludes(safeQueryLink, 'href="https://example.com?a=1&amp;b=2"', 'safe query link should keep a single escaped ampersand');
+
+const codeSnippet = renderQaMarkdown('`<div class=\"x\">`');
+assertIncludes(codeSnippet, '&lt;div class=&quot;x&quot;&gt;', 'inline code should stay single-escaped');
+assertNotIncludes(codeSnippet, '&amp;lt;', 'inline code should not be double-escaped');
diff --git a/openless-all/app/src/lib/qaMarkdown.ts b/openless-all/app/src/lib/qaMarkdown.ts
index a29a2f13..0f9d7c06 100644
--- a/openless-all/app/src/lib/qaMarkdown.ts
+++ b/openless-all/app/src/lib/qaMarkdown.ts
@@ -35,6 +35,7 @@ function normalizeHref(href: string | null | undefined): string | null {
 }
 
 const QA_MARKDOWN_RENDERER = new marked.Renderer();
+QA_MARKDOWN_RENDERER.html = (html: string) => escapeHtml(html);
 QA_MARKDOWN_RENDERER.link = (href: string | null, title: string | null, text: string) => {
   const safeHref = normalizeHref(decodeHtmlEntities(href ?? ''));
   if (!safeHref) return `<span>${text}</span>`;
@@ -54,9 +55,8 @@ export function renderQaPlainText(raw: string): string {
 }
 
 export function renderQaMarkdown(markdown: string): string {
-  // 禁用 markdown 中 raw HTML：统一转义后再走 marked，仅保留安全 markdown 子集。
-  const escaped = escapeHtml(markdown);
-  return marked.parse(escaped, {
+  // 保留 markdown 语义（尤其代码块），但把 raw HTML token 转义为纯文本，避免注入。
+  return marked.parse(markdown, {
     async: false,
     gfm: true,
     breaks: true,