messageElement.find('.message-wrapper').append(actionsHtml);
    }

    /**
     * Validates and sanitizes a URL to prevent javascript: and other dangerous protocols
     */
    function sanitizeUrl(url) {
        if (!url || typeof url !== 'string') {
            return '#';
        }
        var trimmedUrl = url.trim().toLowerCase();
        // Allow http, https, and absolute path URLs

import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

/**
 * Renders markdown to sanitized HTML for safe display in the chat interface.
 * Uses commonmark for markdown parsing and OWASP HTML Sanitizer for XSS prevention.
 */
public class MarkdownRenderer {

    private static final Logger logger = LogManager.getLogger(MarkdownRenderer.class);

    private Parser markdownParser;

    @Test
    public void test_render_xss_scriptTag() {
        String malicious = "<script>alert('XSS')</script>";
        String result = markdownRenderer.render(malicious);
        // Script tags should be removed by sanitizer
        assertFalse(result.contains("<script>"));
        assertFalse(result.contains("</script>"));
    }

    @Test
    public void test_render_xss_onclickAttribute() {

        final LlmChatRequest request = new LlmChatRequest();

        final String sanitizedUrl = sanitizeDocumentContent(documentUrl != null ? documentUrl.replaceAll("[\\r\\n\\t]", "") : "");
        final String resolvedPrompt =
                resolveLanguageInstruction(getDocumentNotFoundSystemPrompt().replace("{{documentUrl}}", sanitizedUrl));
        if (logger.isDebugEnabled()) {

			<artifactId>commonmark-ext-gfm-tables</artifactId>
			<version>0.24.0</version>
		</dependency>
		<dependency>
			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
			<artifactId>owasp-java-html-sanitizer</artifactId>
			<version>20260101.1</version>
		</dependency>

		<!-- test -->
		<dependency>
			<groupId>org.junit.jupiter</groupId>

./js/src/carousel.js","../../js/src/collapse.js","../../js/src/dropdown.js","../../js/src/util/backdrop.js","../../js/src/util/focustrap.js","../../js/src/util/scrollbar.js","../../js/src/modal.js","../../js/src/offcanvas.js","../../js/src/util/sanitizer.js","../../js/src/util/template-factory.js","../../js/src/tooltip.js","../../js/src/popover.js","../../js/src/scrollspy.js","../../js/src/tab.js","../../js/src/toast.js","../../js/index.umd.js"],"sourcesContent":["/**\n * -----------------------...

e","Toast","_clearTimeout","_close"],"sources":["../../js/src/util.js","../../js/src/alert.js","../../js/src/button.js","../../js/src/carousel.js","../../js/src/collapse.js","../../js/src/dropdown.js","../../js/src/modal.js","../../js/src/tools/sanitizer.js","../../js/src/tooltip.js","../../js/src/popover.js","../../js/src/scrollspy.js","../../js/src/tab.js","../../js/src/toast.js"],"sourcesContent":["/**\n * --------------------------------------------------------------------------\n * Bootstrap...