fix: md xss 过滤白名单增加 video 和 audio (#291)

Co-authored-by: yangyu.1 <[email protected]>

Author: tomasyu985

common/changes/@coze/chat-sdk/fix-chat_sdk_md_2025-07-31-04-00.json

@@ -0,0 +1,11 @@
+{
+  "changes": [
+    {
+      "packageName": "@coze/chat-sdk",
+      "comment": "md xss 过滤白名单增加 video 和 audio",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@coze/chat-sdk",
+  "email": "[email protected]"
+}

packages/chat-sdk/src/libs/ui-kit/atomic/md-stream/render/phrase/html/index.tsx

@@ -14,7 +14,31 @@ export const Html: FC<{
   return (
     <>
       {enableHtmlTags ? (
-        <RichText nodes={`${xss(node.value)}`} />
+        <RichText
+          nodes={`${xss(node.value, {
+            whiteList: {
+              video: [
+                'width',
+                'height',
+                'controls',
+                'autoplay',
+                'loop',
+                'muted',
+                'poster',
+                'preload',
+              ],
+              audio: [
+                'controls',
+                'autoplay',
+                'loop',
+                'muted',
+                'poster',
+                'preload',
+              ],
+              source: ['src', 'type'],
+            },
+          })}`}
+        />
       ) : (
         <Text node={node as unknown as TextMdType} />
       )}

packages/chat-sdk/src/pages/markdown/const.ts

@@ -104,6 +104,9 @@ as s \`node\`
 
 <div>
  <strong>asdfasdf</strong>
+  <audio controls>
+    <source src="https://lf-bot-studio-plugin-resource.coze.cn/obj/bot-studio-platform-plugin-tos/sami_podcast/tts/6919958702e6450bbac82bd6dfb17b85.mp3">
+  </audio>
   <video controls="" width="250">
     <source src="https://interactive-examples.mdn.mozilla.net/media/cc0-videos/flower.webm" type="video/webm">
     <source src="https://interactive-examples.mdn.mozilla.net/media/cc0-videos/flower.mp4" type="video/mp4">