fix: use data-content attr to avoid HTML injection in onclick
This commit is contained in:
@@ -1447,7 +1447,7 @@ function appendMessage(role, content, animate, isSearch = false, afterEl = null)
|
||||
const ms = now.getMilliseconds();
|
||||
const timeStr = months[now.getMonth()] + ' ' + String(now.getDate()).padStart(2,'0') + ', ' + now.getFullYear() + ' ' + String(now.getHours()).padStart(2,'0') + ':' + String(now.getMinutes()).padStart(2,'0') + ':' + String(now.getSeconds()).padStart(2,'0') + '.' + String(Math.floor(ms / 10)).padStart(2,'0');
|
||||
const textHtml = content ? renderMarkdown(content) : '';
|
||||
const copyIcon = role === 'user' && content ? `<span class="user-copy-btn" onclick="var el=this;event.stopPropagation();navigator.clipboard.writeText(${JSON.stringify(content)}).then(()=>{el.textContent='✓';showToast('Copied');setTimeout(()=>el.innerHTML='📋',1500)})">📋</span>` : '';
|
||||
const copyIcon = role === 'user' && content ? `<span class="user-copy-btn" data-content="${escapeHtml(content).replace(/"/g,'"')}" onclick="var el=this;event.stopPropagation();navigator.clipboard.writeText(el.getAttribute('data-content')).then(()=>{el.textContent='✓';showToast('Copied');setTimeout(()=>el.innerHTML='📋',1500)})">📋</span>` : '';
|
||||
div.innerHTML = `<div class="avatar">${role === 'user' ? 'YOU' : 'AI'}</div><div class="content"><div class="role-label">${role}${role === 'user' ? ' <span class="msg-time">' + timeStr + '</span>' : ''}</div><div class="text">${textHtml}${copyIcon}</div>${role === 'assistant' ? '<div class="msg-toolbar"></div>' : ''}</div>`;
|
||||
if (role === 'user') {
|
||||
const pair = document.createElement('div');
|
||||
|
||||
Reference in New Issue
Block a user