@xcanwin/manyoyo 5.8.10 → 5.8.11

package/lib/web/frontend/app.css

@@ -352,6 +352,20 @@ textarea:focus-visible {
     white-space: pre-wrap;
 }
 
+.link-confirm-url {
+    margin-top: 2px;
+    padding: 12px 14px;
+    border: 1px solid rgba(146, 100, 42, 0.18);
+    border-radius: 10px;
+    background: #fff8ef;
+    color: var(--text);
+    font-family: var(--font-mono);
+    font-size: 12px;
+    line-height: 1.6;
+    word-break: break-all;
+    user-select: text;
+}
+
 .config-editor {
     width: 100%;
     min-height: 340px;

package/lib/web/frontend/app.html

@@ -275,6 +275,22 @@
                 </footer>
             </section>
         </div>
+
+        <div id="externalLinkModal" class="modal-backdrop" hidden>
+            <section class="modal" role="dialog" aria-modal="true" aria-labelledby="externalLinkTitle">
+                <header class="modal-header">
+                    <h2 id="externalLinkTitle">打开外部链接</h2>
+                    <button type="button" id="externalLinkCancelBtn" class="secondary">取消</button>
+                </header>
+                <div class="modal-body">
+                    <div class="modal-tip">即将新标签页打开外部页面。请确认完整链接可信后再继续。</div>
+                    <div id="externalLinkUrl" class="link-confirm-url"></div>
+                </div>
+                <footer class="modal-footer">
+                    <button type="button" id="externalLinkOpenBtn">确认并新标签打开</button>
+                </footer>
+            </section>
+        </div>
     </div>
 
     <script src="/app/vendor/xterm.js"></script>

package/lib/web/frontend/app.js

@@ -51,6 +51,7 @@
         configModalOpen: false,
         createModalOpen: false,
         agentTemplateModalOpen: false,
+        externalLinkModalOpen: false,
         configLoading: false,
         configSaving: false,
         configSaveMessage: '',
@@ -105,7 +106,8 @@
             lastSentRows: 0,
             ctrlMode: false,
             altMode: false
-        }
+        },
+        externalLinkUrl: ''
     };
 
     const sidebarNode = document.querySelector('.sidebar');
@@ -196,6 +198,10 @@
     const agentTemplateCancelBtn = document.getElementById('agentTemplateCancelBtn');
     const agentTemplateResetBtn = document.getElementById('agentTemplateResetBtn');
     const agentTemplateSaveBtn = document.getElementById('agentTemplateSaveBtn');
+    const externalLinkModal = document.getElementById('externalLinkModal');
+    const externalLinkUrl = document.getElementById('externalLinkUrl');
+    const externalLinkCancelBtn = document.getElementById('externalLinkCancelBtn');
+    const externalLinkOpenBtn = document.getElementById('externalLinkOpenBtn');
     const refreshBtn = document.getElementById('refreshBtn');
     const removeBtn = document.getElementById('removeBtn');
     const removeAllBtn = document.getElementById('removeAllBtn');
@@ -740,6 +746,45 @@
         configStatus.textContent = text;
     }
 
+    function openExternalLinkModalView(url) {
+        const text = String(url || '').trim();
+        if (!text) {
+            return;
+        }
+        state.externalLinkUrl = text;
+        state.externalLinkModalOpen = true;
+        if (externalLinkUrl) {
+            externalLinkUrl.textContent = text;
+        }
+        setModalVisible(externalLinkModal, true);
+    }
+
+    function closeExternalLinkModalView() {
+        state.externalLinkModalOpen = false;
+        state.externalLinkUrl = '';
+        if (externalLinkUrl) {
+            externalLinkUrl.textContent = '';
+        }
+        setModalVisible(externalLinkModal, false);
+    }
+
+    function confirmExternalLinkOpen() {
+        const targetUrl = String(state.externalLinkUrl || '').trim();
+        if (!targetUrl) {
+            closeExternalLinkModalView();
+            return;
+        }
+        if (markdownRenderer && typeof markdownRenderer.openExternalLink === 'function') {
+            markdownRenderer.openExternalLink(targetUrl);
+        } else {
+            const popup = window.open(targetUrl, '_blank', 'noopener,noreferrer');
+            if (popup) {
+                popup.opener = null;
+            }
+        }
+        closeExternalLinkModalView();
+    }
+
     function showDirectoryPickerError(message) {
         if (!directoryPickerError) return;
         const text = String(message || '').trim();
@@ -2095,6 +2140,9 @@
         if (agentTemplateModal) {
             agentTemplateModal.hidden = !state.agentTemplateModalOpen;
         }
+        if (externalLinkModal) {
+            externalLinkModal.hidden = !state.externalLinkModalOpen;
+        }
         if (agentTemplateSaveBtn) {
             agentTemplateSaveBtn.disabled = state.agentTemplateSaving || !state.active;
         }
@@ -2118,7 +2166,7 @@
         }
         document.body.classList.toggle(
             'modal-open',
-            state.configModalOpen || state.createModalOpen || state.directoryPicker.open || state.agentTemplateModalOpen
+            state.configModalOpen || state.createModalOpen || state.directoryPicker.open || state.agentTemplateModalOpen || state.externalLinkModalOpen
         );
         if (!state.active) {
             sendState.textContent = '未选择会话';
@@ -4030,6 +4078,15 @@
         });
     }
 
+    if (externalLinkModal) {
+        externalLinkModal.addEventListener('click', function (event) {
+            if (event.target === externalLinkModal) {
+                closeExternalLinkModalView();
+                syncUi();
+            }
+        });
+    }
+
     window.addEventListener('keydown', function (event) {
         if (event.key === 'Escape' && state.configModalOpen) {
             closeConfigModal();
@@ -4046,6 +4103,10 @@
             closeAgentTemplateModal();
             syncUi();
         }
+        if (event.key === 'Escape' && state.externalLinkModalOpen) {
+            closeExternalLinkModalView();
+            syncUi();
+        }
         if (event.key === 'Escape' && state.mobileSidebarOpen) {
             closeMobileSessionPanel();
         }
@@ -4128,6 +4189,27 @@
         }
     });
 
+    if (externalLinkCancelBtn) {
+        externalLinkCancelBtn.addEventListener('click', function () {
+            closeExternalLinkModalView();
+            syncUi();
+        });
+    }
+
+    if (externalLinkOpenBtn) {
+        externalLinkOpenBtn.addEventListener('click', function () {
+            confirmExternalLinkOpen();
+            syncUi();
+        });
+    }
+
+    if (markdownRenderer && typeof markdownRenderer.setLinkOpenHandler === 'function') {
+        markdownRenderer.setLinkOpenHandler(function (url) {
+            openExternalLinkModalView(url);
+            syncUi();
+        });
+    }
+
     window.addEventListener('beforeunload', function () {
         disconnectTerminal('', true);
     });

package/lib/web/frontend/markdown-renderer.js

@@ -1,8 +1,11 @@
 (function () {
-    const MARKDOWN_URL_PROTOCOL_PATTERN = /^(https?:|mailto:|tel:)/i;
+    const MARKDOWN_LINK_PROTOCOL_PATTERN = /^(https?:|mailto:|tel:)/i;
+    const MARKDOWN_IMAGE_PROTOCOL_PATTERN = /^(https?:)/i;
     const runtime = {
         configured: false,
-        available: false
+        available: false,
+        linkGuardBound: false,
+        linkOpenHandler: null
     };
 
     function escapeHtml(value) {
@@ -14,26 +17,175 @@
             .replace(/'/g, ''');
     }
 
-    function sanitizeMarkdownUrl(value) {
+    function normalizeRendererValue(value) {
+        if (value && typeof value === 'object') {
+            if (typeof value.href === 'string') {
+                return value.href;
+            }
+            if (typeof value.text === 'string') {
+                return value.text;
+            }
+        }
+        return String(value == null ? '' : value);
+    }
+
+    function sanitizeMarkdownLinkUrl(value) {
         const raw = String(value == null ? '' : value).trim();
         if (!raw) {
             return '';
         }
-        if (raw[0] === '#') {
+        if (MARKDOWN_LINK_PROTOCOL_PATTERN.test(raw)) {
             return raw;
         }
+        return '';
+    }
+
+    function sanitizeMarkdownImageUrl(value) {
+        const raw = String(value == null ? '' : value).trim();
+        if (!raw) {
+            return '';
+        }
         if (raw[0] === '/') {
             return raw.startsWith('//') ? '' : raw;
         }
         if (raw.startsWith('./') || raw.startsWith('../')) {
             return raw;
         }
-        if (MARKDOWN_URL_PROTOCOL_PATTERN.test(raw)) {
+        if (MARKDOWN_IMAGE_PROTOCOL_PATTERN.test(raw)) {
             return raw;
         }
         return '';
     }
 
+    function getRendererToken(value) {
+        return value && typeof value === 'object' ? value : null;
+    }
+
+    function renderInlineTokens(rendererContext, token, fallbackText) {
+        if (
+            token
+            && Array.isArray(token.tokens)
+            && rendererContext
+            && rendererContext.parser
+            && typeof rendererContext.parser.parseInline === 'function'
+        ) {
+            try {
+                return String(rendererContext.parser.parseInline(token.tokens) || '');
+            } catch (e) {
+                // ignore and fallback to plain text below
+            }
+        }
+        if (token && typeof token.text === 'string') {
+            return escapeHtml(token.text);
+        }
+        return escapeHtml(fallbackText || '');
+    }
+
+    function buildSafeAnchorHtml(href, title, content, extraAttrs) {
+        let output = '<a href="' + escapeHtml(href) + '" target="_blank" rel="noopener noreferrer"'
+            + ' referrerpolicy="no-referrer" data-safe-external-link="true"'
+            + ' data-safe-href="' + escapeHtml(href) + '"';
+        if (title) {
+            output += ' title="' + escapeHtml(title) + '"';
+        }
+        if (extraAttrs) {
+            output += extraAttrs;
+        }
+        output += '>' + content + '</a>';
+        return output;
+    }
+
+    function openExternalLinkWithNoReferrer(href) {
+        const url = String(href || '').trim();
+        if (!url || typeof document === 'undefined' || !document || typeof document.createElement !== 'function') {
+            if (typeof window.open === 'function') {
+                const opened = window.open(url, '_blank', 'noopener,noreferrer');
+                if (opened) {
+                    opened.opener = null;
+                }
+            }
+            return;
+        }
+
+        const anchor = document.createElement('a');
+        anchor.href = url;
+        anchor.target = '_blank';
+        anchor.rel = 'noopener noreferrer';
+        anchor.referrerPolicy = 'no-referrer';
+        anchor.style.display = 'none';
+        document.body.appendChild(anchor);
+        try {
+            if (typeof anchor.click === 'function') {
+                anchor.click();
+            } else if (typeof window.open === 'function') {
+                const opened = window.open(url, '_blank', 'noopener,noreferrer');
+                if (opened) {
+                    opened.opener = null;
+                }
+            }
+        } finally {
+            if (anchor.parentNode && typeof anchor.parentNode.removeChild === 'function') {
+                anchor.parentNode.removeChild(anchor);
+            }
+        }
+    }
+
+    function requestExternalLinkOpen(href) {
+        const url = String(href || '').trim();
+        if (!url) {
+            return;
+        }
+        if (typeof runtime.linkOpenHandler === 'function') {
+            runtime.linkOpenHandler(url);
+            return;
+        }
+
+        const shouldOpen = typeof window.confirm === 'function'
+            ? window.confirm('即将打开外部链接：\n' + url + '\n\n确认继续打开？')
+            : true;
+        if (!shouldOpen) {
+            return;
+        }
+
+        openExternalLinkWithNoReferrer(url);
+    }
+
+    function bindDocumentLinkGuard() {
+        if (runtime.linkGuardBound || typeof document === 'undefined' || !document || typeof document.addEventListener !== 'function') {
+            return;
+        }
+
+        document.addEventListener('click', function (event) {
+            const target = event && event.target;
+            if (!target || typeof target.closest !== 'function') {
+                return;
+            }
+            const link = target.closest('a[data-safe-external-link="true"]');
+            if (!link) {
+                return;
+            }
+            if (event.preventDefault) {
+                event.preventDefault();
+            }
+            if (event.stopPropagation) {
+                event.stopPropagation();
+            }
+
+            const href = String(
+                (typeof link.getAttribute === 'function' && (link.getAttribute('data-safe-href') || link.getAttribute('href')))
+                || link.href
+                || ''
+            ).trim();
+            if (!href) {
+                return;
+            }
+
+            requestExternalLinkOpen(href);
+        });
+
+        runtime.linkGuardBound = true;
+    }
+
     function getMarkedApi() {
         const api = window.marked;
         if (!api || typeof api.parse !== 'function') {
@@ -57,45 +209,48 @@
         try {
             const renderer = new markedApi.Renderer();
             renderer.html = function (html) {
-                return escapeHtml(html);
+                const token = getRendererToken(html);
+                return escapeHtml(token ? token.text : html);
             };
             renderer.link = function (href, title, text) {
-                const safeHref = sanitizeMarkdownUrl(href);
+                const token = getRendererToken(href);
+                const rawHref = token ? token.href : normalizeRendererValue(href);
+                const rawTitle = token ? token.title : title;
+                const safeHref = sanitizeMarkdownLinkUrl(rawHref);
+                const safeText = renderInlineTokens(this, token, text)
+                    // [P1-02] 移除 marked 已渲染链接文本中的 on* 事件属性，防止内联 HTML 注入 XSS
+                    .replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]*)/gi, '');
                 if (!safeHref) {
-                    return escapeHtml(text || '');
-                }
-                // [P1-02] 移除 marked 已渲染链接文本中的 on* 事件属性，防止内联 HTML 注入 XSS
-                const safeText = String(text || '').replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]*)/gi, '');
-                let output = '<a href="' + escapeHtml(safeHref) + '" target="_blank" rel="noopener noreferrer"';
-                if (title) {
-                    output += ' title="' + escapeHtml(title) + '"';
+                    return safeText || escapeHtml(token ? token.text : text || '');
                 }
-                output += '>' + safeText + '</a>';
-                return output;
+                return buildSafeAnchorHtml(safeHref, rawTitle, safeText || escapeHtml(safeHref));
             };
             // [P1-01] 重写 image 渲染器：
             //   - 外部 http/https 图片转为可点击链接，避免浏览器自动发起外部请求（追踪像素风险）
             //   - 相对路径图片正常渲染为 <img>
             //   - 危险协议（javascript:/data: 等）降级为纯文本
             renderer.image = function (href, title, text) {
-                const safeHref = sanitizeMarkdownUrl(href);
+                const token = getRendererToken(href);
+                const rawHref = token ? token.href : normalizeRendererValue(href);
+                const rawTitle = token ? token.title : title;
+                const safeHref = sanitizeMarkdownImageUrl(rawHref);
+                const safeText = renderInlineTokens(this, token, text)
+                    .replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]*)/gi, '');
                 if (!safeHref) {
-                    return escapeHtml(text || '');
+                    return safeText || escapeHtml(token ? token.text : text || '');
                 }
                 // 外部绝对 URL：转为链接，用户主动决定是否访问
                 if (/^https?:/i.test(safeHref)) {
-                    const safeText = String(text || '').replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]*)/gi, '')
-                        || escapeHtml(safeHref);
-                    let output = '<a href="' + escapeHtml(safeHref) + '" target="_blank" rel="noopener noreferrer"';
-                    if (title) {
-                        output += ' title="' + escapeHtml(title) + '"';
-                    }
-                    return output + '>[\uD83D\uDDBC\uFE0F点击查看图片:' + safeText + ']</a>';
+                    return buildSafeAnchorHtml(
+                        safeHref,
+                        rawTitle,
+                        '[\uD83D\uDDBC\uFE0F点击查看图片:' + (safeText || escapeHtml(safeHref)) + ']'
+                    );
                 }
                 // 相对路径：正常渲染为图片
                 let output = '<img src="' + escapeHtml(safeHref) + '" alt="' + escapeHtml(text || '') + '"';
-                if (title) {
-                    output += ' title="' + escapeHtml(title) + '"';
+                if (rawTitle) {
+                    output += ' title="' + escapeHtml(rawTitle) + '"';
                 }
                 return output + '>';
             };
@@ -138,6 +293,12 @@
 
     window.ManyoyoMarkdown = {
         shouldRenderMessage,
-        render
+        render,
+        openExternalLink: openExternalLinkWithNoReferrer,
+        setLinkOpenHandler: function (handler) {
+            runtime.linkOpenHandler = typeof handler === 'function' ? handler : null;
+        }
     };
+
+    bindDocumentLinkGuard();
 }());

package/lib/web/frontend/markdown.css

@@ -72,5 +72,13 @@
 
 .bubble .md-content a {
     color: #8a4f17;
-    text-decoration-color: rgba(138, 79, 23, 0.45);
+    text-decoration-line: underline;
+    text-decoration-thickness: 2px;
+    text-underline-offset: 0.16em;
+    text-decoration-color: rgba(138, 79, 23, 0.8);
+}
+
+.bubble .md-content a:hover,
+.bubble .md-content a:focus-visible {
+    text-decoration-color: #8a4f17;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@xcanwin/manyoyo",
-    "version": "5.8.10",
+    "version": "5.8.11",
     "imageVersion": "1.9.0-common",
     "playwrightCliVersion": "0.1.1",
     "description": "AI Agent CLI Security Sandbox for Docker and Podman",