[GH-ISSUE #21858] issue: XSS attack vector #58260

New Issue

Closed

opened 2026-05-05 22:43:08 -05:00 by GiteaMirror · 4 comments

GiteaMirror commented 2026-05-05 22:43:08 -05:00

Owner

Copy Link

Originally created by @Mywk on GitHub (Feb 25, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21858

Issue

HTML output is escaped in chat but rendered in the completion notification, creating inconsistent sanitization behavior and a potential XSS vector.

Environment

• Open WebUI: v0.8.3
• Installation: Docker
• OS: OpenSUSE Tumbleweed

Expected Behavior

Chat messages and completion notifications should use the same sanitization/rendering logic.

• If HTML is blocked in chat for security, it must also be escaped in the notification.
• If HTML rendering is allowed, it must be consistently sanitized in both places.

Actual Behavior

• In chat, raw HTML (e.g. <table>...</table>) is escaped and shown as literal text.
• In the completion notification ("finished generating" toast), the same HTML is rendered as formatted output.

This indicates inconsistent rendering/sanitization paths and creates a potential XSS attack surface.

Partially related: #9807 (HTML not rendered in chat).

Steps to Reproduce

1. Start a new chat in Open WebUI (tested with glm-ocr).
2. Prompt the model to output raw HTML, for example:
   Convert this data to an HTML table and output only <table>...</table>.
3. Observe that in the chat window, the HTML is escaped and displayed as text.
4. Observe the completion notification preview.
5. The notification renders the HTML instead of escaping it.

Screenshots

Originally created by @Mywk on GitHub (Feb 25, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21858 ## Issue HTML output is escaped in chat but rendered in the completion notification, creating inconsistent sanitization behavior and a potential XSS vector. ## Environment * **Open WebUI:** v0.8.3 * **Installation:** Docker * **OS:** OpenSUSE Tumbleweed ## Expected Behavior Chat messages and completion notifications should use the same sanitization/rendering logic. * If HTML is blocked in chat for security, it must also be escaped in the notification. * If HTML rendering is allowed, it must be consistently sanitized in both places. ## Actual Behavior * In chat, raw HTML (e.g. `<table>...</table>`) is escaped and shown as literal text. * In the completion notification ("finished generating" toast), the same HTML is rendered as formatted output. This indicates inconsistent rendering/sanitization paths and creates a potential XSS attack surface. Partially related: #9807 (HTML not rendered in chat). ## Steps to Reproduce 1. Start a new chat in Open WebUI (tested with `glm-ocr`). 2. Prompt the model to output raw HTML, for example: `Convert this data to an HTML table and output only <table>...</table>.` 3. Observe that in the chat window, the HTML is escaped and displayed as text. 4. Observe the completion notification preview. 5. The notification renders the HTML instead of escaping it. ## Screenshots <img width="1047" height="509" alt="Image" src="https://github.com/user-attachments/assets/5b4a7929-3852-47b8-9ac8-9e7bb2af2efa" /> <img width="389" height="195" alt="Image" src="https://github.com/user-attachments/assets/10e837b5-40a3-4e83-8b9e-7c85a5cb1a30" />

GiteaMirror added the bug label 2026-05-05 22:43:08 -05:00

GiteaMirror closed this issue 2026-05-05 22:43:11 -05:00

GiteaMirror commented 2026-05-05 22:43:14 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Feb 25, 2026):

1. Is this still the case in latest version?
2. Can this be exploited by someone else (besides the user himself)?

If both are yes - file a security case here https://github.com/open-webui/open-webui/security

If no, then this is not a vulnerability.

After all, the model can also create artifacts which render HTML on the side with HTML and CSS and JS and can theoretically do XSS there too. But if the attack vector is "I myself have to tell the model to write that" then that's not an attack vector that's just intended behaviour. If you tell the model to do that, then it will do that.

The fact alone that the notifications are rendered differently doesn't constitute an XSS vulnerability.

Please check our security vulnerability requirements at https://github.com/open-webui/open-webui/security

<!-- gh-comment-id:3958160606 --> @Classic298 commented on GitHub (Feb 25, 2026): 1) Is this still the case in latest version? 2) Can this be exploited by someone else (besides the user himself)? If both are yes - file a security case here https://github.com/open-webui/open-webui/security If no, then this is not a vulnerability. After all, the model can also create artifacts which render HTML on the side with HTML and CSS and JS and can theoretically do XSS there too. But if the attack vector is "I myself have to tell the model to write that" then that's not an attack vector that's just intended behaviour. If you tell the model to do that, then it will do that. The fact alone that the notifications are rendered differently doesn't constitute an XSS vulnerability. Please check our security vulnerability requirements at https://github.com/open-webui/open-webui/security

GiteaMirror commented 2026-05-05 22:43:17 -05:00

Author

Owner

Copy Link

@Mywk commented on GitHub (Feb 25, 2026):

Same behavior on latest version. I tested several payloads and no JavaScript was executed, so it does not appear to cross a security boundary under the default configuration.

One question though: if self-XSS via model output is considered expected behavior, what makes issue #9807 different? In both cases the model outputs HTML at the user's request and here it is simply rendered inconsistently between chat and notification, with the notification literally rendering the table.

If this behavior is intended and properly sanitized, feel free to close the issue.

<!-- gh-comment-id:3958251689 --> @Mywk commented on GitHub (Feb 25, 2026): Same behavior on latest version. I tested several payloads and no JavaScript was executed, so it does not appear to cross a security boundary under the default configuration. One question though: if self-XSS via model output is considered expected behavior, what makes issue #9807 different? In both cases the model outputs HTML at the user's request and here it is simply rendered inconsistently between chat and notification, with the notification literally rendering the table. If this behavior is intended and properly sanitized, feel free to close the issue. <img width="1283" height="499" alt="Image" src="https://github.com/user-attachments/assets/b997439e-a033-4919-b184-ec37d7c3eb84" />

GiteaMirror commented 2026-05-05 22:43:19 -05:00

Author

Owner

Copy Link

@Classic298 commented on GitHub (Feb 25, 2026):

@Mywk i cannot definitely answer that question since the issue you reference is very old and the codebase around html rendering and JS execution likely looked different back then.

CC @tjbck

<!-- gh-comment-id:3958317158 --> @Classic298 commented on GitHub (Feb 25, 2026): @Mywk i cannot definitely answer that question since the issue you reference is very old and the codebase around html rendering and JS execution likely looked different back then. CC @tjbck

GiteaMirror commented 2026-05-05 22:43:23 -05:00

Author

Owner

Copy Link

@Mywk commented on GitHub (Feb 25, 2026):

No worries, updated everything on my end and made a proper issue for the rendering inconsistency. Thank you!

<!-- gh-comment-id:3958349271 --> @Mywk commented on GitHub (Feb 25, 2026): No worries, updated everything on my end and made a proper issue for the rendering inconsistency. Thank you!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#58260