messageElement.find('.message-wrapper').append(actionsHtml);
    }

    /**
     * Validates and sanitizes a URL to prevent javascript: and other dangerous protocols
     */
    function sanitizeUrl(url) {
        if (!url || typeof url !== 'string') {
            return '#';
        }
        var trimmedUrl = url.trim().toLowerCase();
        // Allow http, https, and absolute path URLs

import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

/**
 * Renders markdown to sanitized HTML for safe display in the chat interface.
 * Uses commonmark for markdown parsing and OWASP HTML Sanitizer for XSS prevention.
 */
public class MarkdownRenderer {

    private static final Logger logger = LogManager.getLogger(MarkdownRenderer.class);

    private Parser markdownParser;

    @Test
    public void test_render_xss_scriptTag() {
        String malicious = "<script>alert('XSS')</script>";
        String result = markdownRenderer.render(malicious);
        // Script tags should be removed by sanitizer
        assertFalse(result.contains("<script>"));
        assertFalse(result.contains("</script>"));
    }

    @Test
    public void test_render_xss_onclickAttribute() {

        final LlmChatRequest request = new LlmChatRequest();

        final String sanitizedUrl = sanitizeDocumentContent(documentUrl != null ? documentUrl.replaceAll("[\\r\\n\\t]", "") : "");
        final String resolvedPrompt =
                resolveLanguageInstruction(getDocumentNotFoundSystemPrompt().replace("{{documentUrl}}", sanitizedUrl));
        if (logger.isDebugEnabled()) {

			<artifactId>commonmark-ext-gfm-tables</artifactId>
			<version>0.24.0</version>
		</dependency>
		<dependency>
			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
			<artifactId>owasp-java-html-sanitizer</artifactId>
			<version>20260101.1</version>
		</dependency>

		<!-- test -->
		<dependency>
			<groupId>org.junit.jupiter</groupId>