fix(ui): keep local file markdown links inert · openclaw/openclaw@fc2d2d5 - 惯性聚合

推荐订阅源

Help Net Security

Future of Privacy Forum

The GitHub Blog

博客园 - 叶小钗

阮一峰的网络日志

Kaspersky official blog

Google Developers Blog

freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

Privacy International News Feed

Cyber Attacks, Cyber Crime and Cyber Security

News | PayPal Newsroom

Schneier on Security

Microsoft Azure Blog

The Hacker News

Stack Overflow Blog

Security Latest

Microsoft Research Blog - Microsoft Research

Google Online Security Blog

博客园_首页

CXSECURITY Database RSS Feed - CXSecurity.com

Google DeepMind News

Y Combinator Blog

The Cloudflare Blog

Microsoft Security Blog

Cisco Talos Blog

钛媒体：引领未来商业与生活新知

Troy Hunt's Blog

Fox-IT International blog

Security @ Cisco Blogs

博客园 - 司徒正美

cs.CV updates on arXiv.org

Comments on: Blog

Threat Intelligence Blog | Flashpoint

LINUX DO - 最新话题

Tailwind CSS Blog

Recent Commits to openclaw:main

refactor: reuse realtime output activity in google meet (#86665) fix(test): harden bundled plugin install sweep · openclaw/openclaw@84929e4 fix: prefer source public artifacts in source checkouts · openclaw/openclaw@c87957d test: type child process spawn mock · openclaw/openclaw@65a2105 test(installer): cover rocky cli installs · openclaw/openclaw@fe33747 docs: update changelog for landed fixes · openclaw/openclaw@da831e2 fix: dampen repeated device-required probes fix(update): avoid duplicate plugin smoke failures · openclaw/openclaw@342bde2 fix(gateway): cap retained compaction checkpoint bytes · openclaw/openclaw@d7361ef fix: stabilize tests and reduce plugin memory churn · openclaw/openclaw@c1a026a perf: reduce runtime metadata hotpath churn · openclaw/openclaw@1d21224 refactor: share realtime output activity tracking (#86661) fix(memory-wiki): bound compile page reads (#86660) · openclaw/openclaw@acbdb8c test(qa-matrix): use larger media coverage jpeg fix(cli): reject unknown command help roots (#81083) (thanks @YB0y) · openclaw/openclaw@bec7d56 test: improve test profiling helpers · openclaw/openclaw@68ab48b perf: reduce fuzzy matching allocations · openclaw/openclaw@ec7ad3b perf: reduce runtime cache churn · openclaw/openclaw@1531fe2 refactor: reuse forced consult coordinator in discord voice (#86656) · openclaw/openclaw@0164fd5 fix(scripts): drain codex-cli metadata stdout (#84239) (thanks @Iftek… fix(test): avoid discord voice tts activation tax · openclaw/openclaw@75ac0b5 fix(codex): disable native thread personality (#85891) (thanks @lastg… · openclaw/openclaw@0f35ec2 Refactor realtime voice turn context tracking (#86650) fix(discord): surface silent reply-delivery skips and remove runtime.… · openclaw/openclaw@3a48366 test(discord): cover deliver-lambda abort-skip path via processDiscor… · openclaw/openclaw@48adcb1 docs: update changelog for landed bug fixes · openclaw/openclaw@75c6cf2 test(qa-matrix): use valid media coverage jpeg · openclaw/openclaw@0f54221 fix(gmail-watcher): strip listeners from old process after settleProc… · openclaw/openclaw@0a38932 fix(gmail-watcher): prevent TDZ in settleProcess and guard exit handl… · openclaw/openclaw@94968c8 fix(hooks): stop existing Gmail watcher before re-entry to prevent leaks fix(codex): honor yolo app-server approval policy · openclaw/openclaw@7b30291 fix(usage-cost): invalidate durable cache on missing-cost semantics c… · openclaw/openclaw@9c79a0f fix(usage-cost): preserve transport-recorded positive cost for unpric… · openclaw/openclaw@6e85869 fix(usage-cost): only flag catalog-default zeros, preserve operator-c… · openclaw/openclaw@1670249 fix: treat zero-rate usage cost as unknown · openclaw/openclaw@116c600 fix(usage-cost): surface unpriced-model spend as missingCostEntries i… · openclaw/openclaw@1cc0a96 fix(irc): normalize channel route ids · openclaw/openclaw@9cb1e47 test(irc): cover transient channel join · openclaw/openclaw@c4c80ce fix(irc): store inbound channel routes as channel:#name and join befo… · openclaw/openclaw@63dee51 fix(test): harden macos onboarding e2e · openclaw/openclaw@cd96542 fix(agents): strip markdown code spans from IDENTITY.md values and la… · openclaw/openclaw@55c9a6b perf: reduce runtime cache churn · openclaw/openclaw@5b6d03e fix(pi-runner): flush blocks after compaction retry (#85288) (thanks … · openclaw/openclaw@0d4575a fix(gateway): abort stale agent runs on restart · openclaw/openclaw@a122d80 fix(ui): harden control e2e browser setup · openclaw/openclaw@4424daf fix(telegram): keep overlapping DM replies deliverable (#85361) (than… · openclaw/openclaw@0f67dfd fix(openai): route compaction through Codex auth provider (#86408) · openclaw/openclaw@f4cfa01 refactor: share realtime forced consult coordination · openclaw/openclaw@5dccba7 test(qa-lab): add runtime confidence reports build: refresh dependency pins (#86628) · openclaw/openclaw@cda7c30 test: port release validation stabilizers · openclaw/openclaw@9f7485e fix(cron): stop forcing message tool for delivery · openclaw/openclaw@c51fa0d fix(google): omit request config with cached content test: stabilize release validation test harnesses fix(test): bound kitchen sink command output · openclaw/openclaw@f1197ed fix(discord): stabilize realtime wake-name feedback test(config): guard legacy agentRuntime regression perf: precompute audio resample kernels fix(codex): allow env api-key app-server bootstrap · openclaw/openclaw@009b18c refactor: reuse shared coercion helpers (#86419) · openclaw/openclaw@77d9ac3 fix(cron): preserve runtime snapshot for isolated delivery · openclaw/openclaw@a98660e fix(test): model active assistant failover attempts · openclaw/openclaw@c55bee5 docs: update changelog for bug sweep landings test: fix mock signatures for tsgo · openclaw/openclaw@aa05c5c docs: document fail-closed behavior for rejected modelPatterns · openclaw/openclaw@36f269d fix(security): guard plugin modelPatterns with compileSafeRegex · openclaw/openclaw@117e082 docs(manifest): note safe-regex validation for modelPatterns · openclaw/openclaw@e7c7ee4 style: use bracket notation for __openclaw to satisfy no-underscore-d… · openclaw/openclaw@9a6c161 fix(security): escape field names in transcript regex extraction · openclaw/openclaw@fe8d99d test: tighten oversized metadata assertion to check exact id in __ope… · openclaw/openclaw@aff8e64 fix(logging): exit on stdout/stderr EPIPE instead of spinning · openclaw/openclaw@2aa5f17 fix(logging): preserve failure exit on EPIPE · openclaw/openclaw@623a60a fix(logging): keep string failure codes on EPIPE · openclaw/openclaw@78a1e7d fix(scripts): docs-spellcheck.sh fails on bash 3.2 with set -u · openclaw/openclaw@fef57f9 fix(docs): keep spellcheck bash 3.2-compatible · openclaw/openclaw@778fa87 fix(test): assert e2e agent reply payloads · openclaw/openclaw@74f3a1e test(gateway): pin live gateway models to pi runtime · openclaw/openclaw@c88f660 perf: speed up local TUI startup · openclaw/openclaw@a0023fb refactor: share realtime voice activation helpers (#86615) · openclaw/openclaw@d0ab0d9 fix(feishu): render native presentation buttons (#86588) · openclaw/openclaw@170e0aa fix(test): narrow plugin gauntlet prebuild · openclaw/openclaw@423f7d2 fix: route Discord gateway metadata through proxy (#86601) · openclaw/openclaw@5b6d409 fix: tighten Discord voice wake matching (#86595) · openclaw/openclaw@f00a912 refactor(logging): share diagnostic message lifecycle · openclaw/openclaw@baab4cf fix(cron): restore suspended lanes to default concurrency · openclaw/openclaw@e844d1d fix(auth): emit one-shot doctor-pointer warning for Keychain-only leg… · openclaw/openclaw@a61d530 fix(codex): recover stale preflight bindings (#86602) · openclaw/openclaw@9b9d897 fix(cron): preserve unsupported payload rows on writes · openclaw/openclaw@c916906 fix(cron): canonicalize preserved row ids · openclaw/openclaw@985bc93 test(cron): pin sequential duration regression · openclaw/openclaw@8351556 docs: update changelog for cron preservation (#86415) · openclaw/openclaw@bdc6b32 build: bump qs to patched release · openclaw/openclaw@9330b76 fix(status): prefer active OAuth for runtime aliases chore(acpx): bump bundled acpx to 0.10.0 · openclaw/openclaw@407cf8e docs: make changelog release-owned · openclaw/openclaw@c0f2d89 fix(google): stop appending preview to flash lite · openclaw/openclaw@915c820 docs: update changelog for bug sweep landings · openclaw/openclaw@cd7994f fix(crabbox): detect timed macos js commands · openclaw/openclaw@44bb0be fix(mantis): release telegram user leases on startup failure · openclaw/openclaw@cf27567 fix(agents): deliver stale cron media completions · openclaw/openclaw@f01b2a8

fix(ui): keep local file markdown links inert · openclaw/openclaw@fc2d2d5

BryanTegomoh · 2026-05-26 · via Recent Commits to openclaw:main

Original file line number	Diff line number	Diff line change
`@@ -569,6 +569,20 @@ PY`
`569`	`569`	`const html = toSanitizedMarkdownHtml("[click](file:///etc/passwd)");`
`570`	`570`	`expect(html).toBe("<p><a>click</a></p>\n");`
`571`	`571`	`});`
	`572`	`+`
	`573`	`+it("strips href from host-local absolute file paths", () => {`
	`574`	`+const html = toSanitizedMarkdownHtml(`
	`575`	`+"[report.docx](/Users/test/.openclaw/data/skills/output/report.docx)",`
	`576`	`+);`
	`577`	`+expect(html).toBe("<p><a>report.docx</a></p>\n");`
	`578`	`+});`
	`579`	`+`
	`580`	`+it("keeps app-relative links navigable", () => {`
	`581`	`+const html = toSanitizedMarkdownHtml("[usage](/usage)");`
	`582`	`+expect(html).toBe(`
	`583`	`+'<p><a href="/usage" rel="noreferrer noopener" target="_blank">usage</a></p>\n',`
	`584`	`+);`
	`585`	`+});`
`572`	`586`	`});`
`573`	`587`
`574`	`588`	`describe("ReDoS protection", () => {`

Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,8 @@ const MARKDOWN_PARSE_LIMIT = 40_000;`
`84`	`84`	`const MARKDOWN_CACHE_LIMIT = 200;`
`85`	`85`	`const MARKDOWN_CACHE_MAX_CHARS = 50_000;`
`86`	`86`	`const INLINE_DATA_IMAGE_RE = /^data:image\/[a-z0-9.+-]+;base64,/i;`
	`87`	`+const HOST_LOCAL_FILE_HREF_RE =`
	`88`	`+/^(?:~\/\|\/(?:Users\|home\|tmp\|private\/tmp\|var\/folders\|private\/var\/folders)\/\|\/[A-Za-z]:\/\|[A-Za-z]:[\\/])/;`
`87`	`89`	`const markdownCache = new Map<string, string>();`
`88`	`90`	`const TAIL_LINK_BLUR_CLASS = "chat-link-tail-blur";`
`89`	`91`
`@@ -135,6 +137,10 @@ function shouldRenderCodeBlockCopy(env: unknown): boolean {`
`135`	`137`	`return (env as Partial<MarkdownRenderEnv> \| undefined)?.codeBlockChrome !== "none";`
`136`	`138`	`}`
`137`	`139`
	`140`	`+function isHostLocalFileHref(href: string): boolean {`
	`141`	`+return HOST_LOCAL_FILE_HREF_RE.test(href.trim());`
	`142`	`+}`
	`143`	`+`
`138`	`144`	`function installHooks() {`
`139`	`145`	`if (hooksInstalled) {`
`140`	`146`	`return;`
`@@ -150,6 +156,11 @@ function installHooks() {`
`150`	`156`	`return;`
`151`	`157`	`}`
`152`	`158`
	`159`	`+if (isHostLocalFileHref(href)) {`
	`160`	`+node.removeAttribute("href");`
	`161`	`+return;`
	`162`	`+}`
	`163`	`+`
`153`	`164`	`// Block dangerous URL schemes (javascript:, data:, vbscript:, etc.)`
`154`	`165`	`try {`
`155`	`166`	`const url = new URL(href, window.location.href);`

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。