XSS when sending chat messages

## Summary
Chat messages currently render markdown links without protocol sanitization, allowing `javascript:` URLs to become clickable in the UI.

## Affected Area
`frontend/src/components/Dashboard/ChatArea.js` (`marked(...)` output passed to `dangerouslySetInnerHTML`)

## Reproduction
1. Send a message containing:
   `[go](javascript:window.location='https://example.com')`
2. View the message in chat.
3. The rendered `go` text is clickable and uses a `javascript:` URL.

## Expected
Unsafe URL schemes should never be rendered as clickable links.

## Actual
Unsafe schemes are rendered as anchor `href` values.

## Impact
Potential client-side script execution / malicious redirects through user-generated message content.

## Proposed Fix
- Add a custom `marked.Renderer` for links.
- Allow only `http:`, `https:`, `mailto:`, `tel:`.
- Render unsafe links as plain text.
- Strip raw HTML tokens from markdown output before injecting HTML.

## Patch
See attached file

[ChatArea.js](https://github.com/user-attachments/files/25614653/ChatArea.js)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS when sending chat messages #3

Summary

Affected Area

Reproduction

Expected

Actual

Impact

Proposed Fix

Patch

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

XSS when sending chat messages #3

Description

Summary

Affected Area

Reproduction

Expected

Actual

Impact

Proposed Fix

Patch

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions