[Bug] Front-end use</html_rander> Rendering HTML has the risk of injection

[armored-glitch]

Contact Information

389443982@qq.com

MaxKB Version

1.10.3

Problem Description

代码如下 ` <title>厦门三天旅行攻略</title> <style> /* 定义全局CSS变量 */ :root { --primary-color: #ff6f61; --secondary-color: #ffdb4d; --background-color: #fff; --text-color: #333; --accent-color: #000; --border-color: rgba(0, 0, 0, 0.1); --spacing: 1rem; } body { font-family: 'Noto Sans SC', sans-serif; line-height: 1.6; color: var(--text-color); background-color: var(--background-color); margin: 0; padding: 0; display: flex; flex-direction: column; align-items: center; } .container { max-width: 400px; width: 100%; padding: var(--spacing); box-sizing: border-box; } h1, h2, h3, h4, h5, h6 { font-weight: bold; color: var(--accent-color); } .section { margin-bottom: var(--spacing); } .card { background-color: var(--background-color); padding: var(--spacing); border-radius: 8px; box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1); } .card-title { text-align: center; margin-bottom: var(--spacing); } .card-content { font-size: 0.9rem; } .icon { margin-right: 0.5rem; } .fa-solid { color: var(--primary-color); } .fa-regular { color: var(--secondary-color); } </style>

厦门三天旅行攻略

目的地：厦门

日期：2025-04-10 至 2025-04-12

旅行者：小明

天气：雷阵雨转多云

    <!-- 行程概览 -->
    <div class="card section">
        <h3 class="card-title">行程概览</h3>
        <ul class="list-disc pl-6">
            <li><span class="icon"><i class="fas fa-circle"></i></span> 第一天：鼓浪屿 + 环岛路</li>
            <li><span class="icon"><i class="fas fa-circle"></i></span> 第二天：南普陀寺 + 曾厝垵</li>
        </ul>
    </div>

    <!-- 详细时间表 -->
    <div class="card section">
        <h3 class="card-title">详细时间表</h3>
        <table class="w-full table-auto">
            <thead>
                <tr>
                    <th class="px-4 py-2">时间</th>
                    <th class="px-4 py-2">地点</th>
                    <th class="px-4 py-2">活动</th>
                    <th class="px-4 py-2">停留时间</th>
                </tr>
            </thead>
            <tbody>
                <tr>
                    <td>上午</td>
                    <td>鼓浪屿</td>
                    <td>参观历史建筑</td>
                    <td>3小时</td>
                </tr>
                <tr>
                    <td>下午</td>
                    <td>环岛路</td>
                    <td>骑行</td>
                    <td>2小时</td>
                </tr>
            </tbody>
        </table>
    </div>

    <!-- 交通信息 -->
    <div class="card section">
        <h3 class="card-title">交通信息</h3>
        <p><span class="icon"><i class="fas fa-bus"></i></span> 公交车：鼓浪屿码头至环岛路</p>
        <p><span class="icon"><i class="fas fa-train"></i></span> 地铁：南普陀寺站至曾厝垵站</p>
    </div>

    <!-- 住宿与餐饮 -->
    <div class="card section">
        <h3 class="card-title">住宿与餐饮</h3>
        <p><span class="icon"><i class="fas fa-bed"></i></span> 酒店：厦门悦华酒店</p>
        <p><span class="icon"><i class="fas fa-utensils"></i></span> 餐厅：曾厝垵海鲜大排档</p>
    </div>

    <!-- 实用信息 -->
    <div class="card section">
        <h3 class="card-title">实用信息</h3>
        <p><span class="icon"><i class="fas fa-phone"></i></span> 紧急联系：123456789</p>
        <p><span class="icon"><i class="fas fa-exclamation"></i></span> 提示：带好雨具</p>
    </div>
</body>
</html_rander>`

Steps to Reproduce

输出结果是上面的代码就可以复现

The expected correct result

No response

Related log output

Additional Information

No response

[Shenguobin0102]

这里设计的时候就是保留了比较高的自由度，允许注入是正常的，用户也可以通过限制样式生效范围避免影响整个界面的样式，跟研发确认了一下，保持原样，不做更改。

[shaohuzhang1]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

When designing here, it retains a relatively high degree of freedom. It is normal to allow injection. Users can also avoid affecting the style of the entire interface by limiting the scope of the style taking effect. They confirmed with the research and development and kept it the same without making any changes.