*/
    function scrollToBottom() {
        elements.chatMessages.scrollTop(elements.chatMessages[0].scrollHeight);
    }

    /**
     * Render Markdown text to sanitized HTML.
     * Policy is aligned with server-side MarkdownRenderer (OWASP sanitizer).
     */
    var markdownDomPurifyInitialized = false;
    var markdownSanitizeConfig = {
        ALLOWED_TAGS: ['h1','h2','h3','h4','h5','h6',

e=e.toString()))throw S("dirty is not a string, aborting")}if(!o.isSupported)return e;if(Fe||Tt(t),o.removed=[],"string"==typeof e&&(qe=!1),qe){if(e.nodeName){const t=ft(e.nodeName);if(!Ne[t]||Oe[t])throw S("root node is forbidden and cannot be sanitized in-place")}}else if(e instanceof D)n=bt("\x3c!----\x3e"),r=n.ownerDocument.importNode(e,!0),r.nodeType===J&&"BODY"===r.nodeName||"HTML"===r.nodeName?n=r:n.appendChild(r);else{if(!Be&&!Ue&&!Pe&&-1===e.indexOf("<"))return le&&We?le.createHTML(e):e...

            return text;
        }
        return text.replaceAll("<[^>]+>", "");
    }

    /**
     * Sanitizes document content by escaping delimiter-like sequences
     * to prevent boundary spoofing in LLM prompts.
     *
     * @param text the text to sanitize
     * @return the sanitized text with delimiter sequences escaped
     */
    protected String sanitizeDocumentContent(final String text) {

    @Test
    public void test_render_xss_scriptTag() {
        String malicious = "<script>alert('XSS')</script>";
        String result = markdownRenderer.render(malicious);
        // Script tags should be removed by sanitizer
        assertFalse(result.contains("<script>"));
        assertFalse(result.contains("</script>"));
    }

    @Test
    public void test_render_xss_onclickAttribute() {

            }
            sb.append(c);
        }
        return sb.toString();
    }

    /**
     * Renders markdown text to sanitized HTML.
     *
     * @param markdown the markdown text
     * @return sanitized HTML
     */
    protected String renderMarkdownToHtml(final String markdown) {
        if (markdownRenderer == null || !markdownRenderer.isInitialized()) {

er",validatorFunction:function(a,b,c){if(""!==a){var d,e,f=b.valAttr("allowing")||"",g=b.valAttr("decimal-separator")||c.decimalSeparator,h=!1,i=b.valAttr("step")||"",j=!1,k=b.attr("data-sanitize")||"",l=k.match(/(^|[\s])numberFormat([\s]|$)/i);if(l){if(!window.numeral)throw new ReferenceError("The data-sanitize value numberFormat cannot be used without the numeral library. Please see Data Validation in http://www.formvalidator.net for more information.");a.length&&(a=String(numeral().unformat(a...

			<artifactId>commonmark-ext-gfm-tables</artifactId>
			<version>0.24.0</version>
		</dependency>
		<dependency>
			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
			<artifactId>owasp-java-html-sanitizer</artifactId>
			<version>20260101.1</version>
		</dependency>

		<!-- test -->
		<dependency>
			<groupId>org.junit.jupiter</groupId>

        assertTrue(result.toString().endsWith(".html"));
    }

    @Test
    public void test_buildFilePath_colonInFilename() {
        // Colon is valid in URI path but should be sanitized in filesystem path
        final Path result =
                indexExportJob.buildFilePath("/export", "https://example.com/path/file%3Aname.html", new HtmlIndexExportFormatter());