fix(ui): fix xss in thinking

frontend/src/utils/security.ts

@@ -12,7 +12,7 @@ const DOMPurifyConfig = {
     'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
     'ul', 'ol', 'li', 'blockquote', 'pre', 'code',
     'a', 'img', 'table', 'thead', 'tbody', 'tr', 'th', 'td',
-    'div', 'span', 'figure', 'figcaption'
+    'div', 'span', 'figure', 'figcaption', 'think'
   ],
   // 允许的属性
   ALLOWED_ATTR: [

frontend/src/views/chat/components/deepThink.vue

@@ -19,7 +19,7 @@
                     </div>
                 </template>
                 <div class="content">
-                    <span v-html="deepSession.thinkContent.replace(/\n/g, '<br/>')"></span>
+                    <span v-html="safeProcessThinkContent(deepSession.thinkContent)"></span>
                 </div>
             </t-collapse-panel>
 
@@ -53,6 +53,19 @@ const showHide = () => {
 const handlePanelChange = (val) => {
     isFold.value = !val.length ? true : false;
 }
+
+// 安全地处理思考内容，防止XSS攻击
+const safeProcessThinkContent = (content) => {
+    if (!content || typeof content !== 'string') return '';
+    
+    // 先处理换行符
+    const contentWithBreaks = content.replace(/\n/g, '<br/>');
+    
+    // 使用DOMPurify进行安全清理，允许基本的文本格式化标签
+    const cleanContent = sanitizeHTML(contentWithBreaks);
+    
+    return cleanContent;
+};
 </script>
 <style lang="less" scoped>
 .deep-think {

internal/utils/security.go

@@ -15,6 +15,7 @@ var (
 		regexp.MustCompile(`(?i)<iframe[^>]*>.*?</iframe>`),
 		regexp.MustCompile(`(?i)<object[^>]*>.*?</object>`),
 		regexp.MustCompile(`(?i)<embed[^>]*>.*?</embed>`),
+		regexp.MustCompile(`(?i)<embed[^>]*>`),
 		regexp.MustCompile(`(?i)<form[^>]*>.*?</form>`),
 		regexp.MustCompile(`(?i)<input[^>]*>`),
 		regexp.MustCompile(`(?i)<button[^>]*>.*?</button>`),
@@ -151,7 +152,7 @@ func CleanMarkdown(input string) string {
 		cleaned = pattern.ReplaceAllString(cleaned, "")
 	}
 
-	return strings.TrimSpace(cleaned)
+	return cleaned
 }
 
 // SanitizeForDisplay 为显示清理内容