Chat Renderer

LLM Output as HTML

The chat UI inserts the model's reply via `innerHTML`, so any HTML or `<script>` tag the model emits executes in the user's session.

CWE-79CWE-94
Back to hub Reload scenario
LLM reply

Expected Findings

  • Model output is rendered with `innerHTML` rather than text nodes.
  • `<script>` and `<img onerror>` payloads execute in the chat surface.
  • Markdown sanitizer is disabled because it broke a rich-content demo.

Signals

Renderer
el.innerHTML = response.html  // model is trusted
Developed by vibe-eval.com for validation and testing purposes only.