fix(frontend): resolve invalid HTML nesting and tabnabbing vulnerabilities (#1904)

* fix(frontend): resolve invalid HTML nesting and tabnabbing vulnerabilities Fix `<button>` inside `<a>` invalid HTML in artifact components and add missing `noopener,noreferrer` to `window.open` calls to prevent reverse tabnabbing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(frontend): address Copilot review on tabnabbing and double-tab-open Remove redundant parent onClick on web_fetch ChainOfThoughtStep to prevent opening two tabs on link click, and explicitly null out window.opener after window.open() for defensive tabnabbing hardening. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 16:06:50 +00:00 · 2026-04-07 09:44:17 +08:00
parent 2d068cc075
commit 3acdf79beb
3 changed files with 45 additions and 40 deletions
@@ -280,16 +280,17 @@ function ToolCall({
    return (
      <ChainOfThoughtStep
        key={id}
-        className="cursor-pointer"
        label={t.toolCalls.viewWebPage}
        icon={GlobeIcon}
-        onClick={() => {
-          window.open(url, "_blank");
-        }}
      >
        <ChainOfThoughtSearchResult>
          {url && (
-            <a href={url} target="_blank" rel="noopener noreferrer">
+            <a
+              href={url}
+              target="_blank"
+              rel="noopener noreferrer"
+              className="cursor-pointer"
+            >
              {title}
            </a>
          )}