fix(chat): allow file-only messages with no text to be sent in chat panel and deployed chat #1635
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…anel and deployed chat
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Summary
Enables sending messages with file attachments only (no text required) in both chat panel and deployed chat by conditionally rendering the message text bubble.
Key Changes:
- Conditionally renders message bubble only when text content exists and doesn't start with "Sent"/"Uploaded"
- Adds enhanced image attachment preview that opens in a new window with custom HTML
- Adds validation to check
dataUrl.startsWith('data:')before rendering images or enabling click handlers - Fixes missing
useCallbackdependencies inchat.tsx(chatFiles,isUploadingFiles, setter functions)
Critical Issues Found:
- XSS vulnerabilities:
attachment.nameis directly interpolated into HTML (document.write) without escaping in 4 locations across 2 files. A malicious filename like</title><script>alert('XSS')</script>will execute JavaScript.
Confidence Score: 1/5
- This PR contains critical XSS vulnerabilities that must be fixed before merging
- Score reflects 4 XSS vulnerabilities where user-controlled filenames are injected into HTML without escaping. While the dependency array fix is correct, the security issues make this unsafe to merge.
- Pay close attention to
apps/sim/app/chat/components/message/message.tsxandapps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/chat/components/chat-message/chat-message.tsx- both contain XSS vulnerabilities
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| apps/sim/app/chat/components/message/message.tsx | 1/5 | Allows file-only messages by conditionally rendering text bubble; adds image preview in new window with XSS vulnerabilities in attachment.name handling |
| apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/chat/chat.tsx | 4/5 | Added missing dependencies (chatFiles, isUploadingFiles, setChatMessage, setChatFiles, setUploadErrors) to handleSendMessage useCallback |
| apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/chat/components/chat-message/chat-message.tsx | 1/5 | Allows file-only messages by conditionally rendering text bubble; adds image preview in new window with XSS vulnerabilities in attachment.name handling |
Sequence Diagram
sequenceDiagram
participant User
participant ChatInput
participant ChatComponent
participant MessageComponent
participant Browser
User->>ChatInput: Upload file + optional text
ChatInput->>ChatComponent: handleSendMessage()
alt Has text content
ChatComponent->>MessageComponent: Render attachments + text bubble
else File-only (no text)
ChatComponent->>MessageComponent: Render attachments only (skip text bubble)
end
User->>MessageComponent: Click attachment
MessageComponent->>MessageComponent: Check dataUrl.startsWith('data:')
MessageComponent->>Browser: window.open('', '_blank')
MessageComponent->>Browser: document.write(HTML with attachment.name)
Browser->>User: Display attachment in new window
3 files reviewed, 4 comments
| <!DOCTYPE html> | ||
| <html> | ||
| <head> | ||
| <title>${attachment.name}</title> |
There was a problem hiding this comment.
logic: XSS vulnerability: ${attachment.name} is not HTML-escaped. If a user uploads a file named </title><script>alert('XSS')</script>, it will execute JavaScript in the new window.
Suggested change
| <title>${attachment.name}</title> | |
| <title>${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}</title> |
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/sim/app/chat/components/message/message.tsx
Line: 105:105
Comment:
**logic:** XSS vulnerability: `${attachment.name}` is not HTML-escaped. If a user uploads a file named `</title><script>alert('XSS')</script>`, it will execute JavaScript in the new window.
```suggestion
<title>${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}</title>
```
How can I resolve this? If you propose a fix, please make it concise.| </style> | ||
| </head> | ||
| <body> | ||
| <img src="${validDataUrl}" alt="${attachment.name}" /> |
There was a problem hiding this comment.
logic: XSS vulnerability: ${attachment.name} in the alt attribute is not HTML-escaped.
Suggested change
| <img src="${validDataUrl}" alt="${attachment.name}" /> | |
| <img src="${validDataUrl}" alt="${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}" /> |
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/sim/app/chat/components/message/message.tsx
Line: 112:112
Comment:
**logic:** XSS vulnerability: `${attachment.name}` in the alt attribute is not HTML-escaped.
```suggestion
<img src="${validDataUrl}" alt="${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}" />
```
How can I resolve this? If you propose a fix, please make it concise.| <!DOCTYPE html> | ||
| <html> | ||
| <head> | ||
| <title>${attachment.name}</title> |
There was a problem hiding this comment.
logic: XSS vulnerability: ${attachment.name} is not HTML-escaped.
Suggested change
| <title>${attachment.name}</title> | |
| <title>${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}</title> |
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/chat/components/chat-message/chat-message.tsx
Line: 113:113
Comment:
**logic:** XSS vulnerability: `${attachment.name}` is not HTML-escaped.
```suggestion
<title>${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}</title>
```
How can I resolve this? If you propose a fix, please make it concise.| </style> | ||
| </head> | ||
| <body> | ||
| <img src="${validDataUrl}" alt="${attachment.name}" /> |
There was a problem hiding this comment.
logic: XSS vulnerability: ${attachment.name} in the alt attribute is not HTML-escaped.
Suggested change
| <img src="${validDataUrl}" alt="${attachment.name}" /> | |
| <img src="${validDataUrl}" alt="${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}" /> |
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/chat/components/chat-message/chat-message.tsx
Line: 120:120
Comment:
**logic:** XSS vulnerability: `${attachment.name}` in the alt attribute is not HTML-escaped.
```suggestion
<img src="${validDataUrl}" alt="${attachment.name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''')}" />
```
How can I resolve this? If you propose a fix, please make it concise.
Sg312
pushed a commit
that referenced
this pull request
Oct 15, 2025
…anel and deployed chat (#1635)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
allow file-only messages with no text to be sent in chat panel and deployed chat
Type of Change
Testing
Tested manually by sending messages with no text and only images.
Checklist