From 0a1f36c8e4b2c673d0235d39b49c0b5a2f7f6139 Mon Sep 17 00:00:00 2001
From: nkoorty <amalyshau2002@gmail.com>
Date: Sun, 11 May 2025 22:00:23 +0200
Subject: [PATCH] fix: remediated XSS

---
 crazy_functions/Conversation_To_File.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/crazy_functions/Conversation_To_File.py b/crazy_functions/Conversation_To_File.py
index b8408748..08c83ad4 100644
--- a/crazy_functions/Conversation_To_File.py
+++ b/crazy_functions/Conversation_To_File.py
@@ -1,6 +1,7 @@
 from toolbox import CatchException, update_ui, promote_file_to_downloadzone, get_log_folder, get_user
 from crazy_functions.plugin_template.plugin_class_template import GptAcademicPluginTemplate, ArgProperty
 import re
+import html
 
 f_prefix = 'GPT-Academic对话存档'
 
@@ -57,11 +58,14 @@ def write_chat_to_file(chatbot, history=None, file_name=None):
             if answer is None: answer = ""
             try: answer = str(answer)
             except: answer = ""
+            question = html.escape(question)
+            answer = html.escape(answer)
             CHAT_PREVIEW_BUF += qa_from.format(QUESTION=question, ANSWER=answer)
 
         HISTORY_PREVIEW_BUF = ""
         for h in history:
-            HISTORY_PREVIEW_BUF += history_from.format(ENTRY=h)
+            h_escaped = html.escape(str(h))
+            HISTORY_PREVIEW_BUF += history_from.format(ENTRY=h_escaped)
         html_content = form.format(CHAT_PREVIEW=CHAT_PREVIEW_BUF, HISTORY_PREVIEW=HISTORY_PREVIEW_BUF, CSS=advanced_css)
         f.write(html_content)
 
@@ -122,7 +126,7 @@ def 对话历史存档(txt, llm_kwargs, plugin_kwargs, chatbot, history, system_
     if (file_name is not None) and (file_name != "") and (not file_name.endswith('.html')): file_name += '.html'
     else: file_name = None
 
-    chatbot.append((None, f"[Local Message] {write_chat_to_file(chatbot, history, file_name)}，您可以调用下拉菜单中的“载入对话历史存档”还原当下的对话。"))
+    chatbot.append((None, f"[Local Message] {write_chat_to_file(chatbot, history, file_name)}，您可以调用下拉菜单中的“载入对话历史存档“还原当下的对话。"))
     yield from update_ui(chatbot=chatbot, history=history) # 刷新界面 # 由于请求gpt需要一段时间，我们先及时地做一次界面更新