messageElement.find('.message-wrapper').append(actionsHtml);
    }

    /**
     * Validates and sanitizes a URL to prevent javascript: and other dangerous protocols
     */
    function sanitizeUrl(url) {
        if (!url || typeof url !== 'string') {
            return '#';
        }
        var trimmedUrl = url.trim().toLowerCase();
        // Allow http, https, and absolute path URLs

    @Test
    public void test_render_xss_scriptTag() {
        String malicious = "<script>alert('XSS')</script>";
        String result = markdownRenderer.render(malicious);
        // Script tags should be removed by sanitizer
        assertFalse(result.contains("<script>"));
        assertFalse(result.contains("</script>"));
    }

    @Test
    public void test_render_xss_onclickAttribute() {

   *
   * Fundamentally, there's not really anything we can do about that. In the unlikely event that it
   * comes up in practice (maybe through some kind of sanitizer-like testing that intentionally
   * inflicts spurious interrupts on us?), we might have to accept some flakiness or disable some
   * tests, at least under whichever environment (JRE or Android) we see such problems.
   */

   *
   * Fundamentally, there's not really anything we can do about that. In the unlikely event that it
   * comes up in practice (maybe through some kind of sanitizer-like testing that intentionally
   * inflicts spurious interrupts on us?), we might have to accept some flakiness or disable some
   * tests, at least under whichever environment (JRE or Android) we see such problems.
   */