From d17142c46afc64a94c0337ff8eb8c46d49f39d78 Mon Sep 17 00:00:00 2001
From: 1AhmedYasser <26207361+1AhmedYasser@users.noreply.github.com>
Date: Mon, 19 Jan 2026 16:55:45 +0200
Subject: [PATCH] fix(1735): Sanitized Markdowify

---
 GUI/package.json                             | 12 +++++++-----
 GUI/src/components/ChatEvent/Markdownify.tsx |  7 +++++--
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/GUI/package.json b/GUI/package.json
index 06b65f67..77d2184e 100644
--- a/GUI/package.json
+++ b/GUI/package.json
@@ -4,10 +4,10 @@
   "private": true,
   "type": "module",
   "dependencies": {
-    "@buerokratt-ria/menu": "^0.2.10",
+    "@buerokratt-ria/common-gui-components": "^0.0.37",
     "@buerokratt-ria/header": "^0.1.47",
+    "@buerokratt-ria/menu": "^0.2.10",
     "@buerokratt-ria/styles": "^0.0.1",
-    "@buerokratt-ria/common-gui-components": "^0.0.36",
     "@fontsource/roboto": "^4.5.8",
     "@formkit/auto-animate": "^1.0.0-beta.6",
     "@hookform/resolvers": "^2.9.11",
@@ -48,15 +48,16 @@
     "recharts": "^2.10.4",
     "redux-persist": "^6.0.0",
     "redux-thunk": "^2.4.2",
+    "rich-textarea": "^0.26.4",
     "rxjs": "^7.8.0",
+    "sanitize-html": "^2.17.0",
     "sass": "^1.57.1",
     "sass-loader": "^13.2.0",
     "typescript": "^4.9.4",
-    "yup": "^1.0.0",
-    "zustand": "^4.4.0",
     "use-debounce": "^10.0.1",
     "usehooks-ts": "^2.9.1",
-    "rich-textarea": "^0.26.4"
+    "yup": "^1.0.0",
+    "zustand": "^4.4.0"
   },
   "scripts": {
     "start": "vite --port 3001",
@@ -79,6 +80,7 @@
     "@types/file-saver": "^2.0.5",
     "@types/howler": "^2.2.11",
     "@types/react-datepicker": "^4.8.0",
+    "@types/sanitize-html": "^2.16.0",
     "@types/wicg-file-system-access": "^2023.10.5",
     "@vitejs/plugin-react": "^3.0.0",
     "prettier": "^3.3.3",
diff --git a/GUI/src/components/ChatEvent/Markdownify.tsx b/GUI/src/components/ChatEvent/Markdownify.tsx
index d5d5932e..5b1553f4 100644
--- a/GUI/src/components/ChatEvent/Markdownify.tsx
+++ b/GUI/src/components/ChatEvent/Markdownify.tsx
@@ -1,5 +1,6 @@
 import React, { useState } from 'react';
 import Markdown from 'markdown-to-jsx';
+import sanitizeHtml from 'sanitize-html';
 
 interface MarkdownifyProps {
   message: string | undefined;
@@ -51,9 +52,11 @@ const LinkPreview: React.FC<{
 const hasSpecialFormat = (m: string) => m.includes('\n\n') && m.indexOf('.') > 0 && m.indexOf(':') > m.indexOf('.');
 
 function formatMessage(message?: string): string {
-  if (!message) return '';
+  const sanitizedMessage = sanitizeHtml(message ?? '');
 
-  const filteredMessage = message
+  if (!sanitizedMessage) return '';
+
+  const filteredMessage = sanitizedMessage
     .replaceAll(/\\?\$b\w*/g, '')
     .replaceAll(/\\?\$v\w*/g, '')
     .replaceAll(/\\?\$g\w*/g, '');