Feature request: Allow insecure rendering of Markdown web links in the front-end Mattermost UI

[rjbrown99]

Description

I'm using the plugin (latest git checkout as of today, 546e1a2) with an OpenAI compatible API that I am fully in control of. It's working well except for one thing. My API returns some Markdown formatted content in its response from the LLM. For example:

[This is a link](https://thisisa.link.com)

It's not formatting it as Markdown when viewed in Mattermost. Here's what the URL looks like in the channel:

When I edit the response as an admin, the markdown syntax appears to be correct:

Re-saving it does not format it as Markdown, it still looks the same.

When I copy/paste that same text into my own message (authored by me, not the bot), it does format correctly.

Is this to be expected? Is the bot rendering in some kind of safe form that isn't aware of Markdown? And if so, is that intentional or could it be enhanced to support Markdown? Thanks in advance.

[azigler]

Hi @rjbrown99! Thanks for checking out the plugin. This is actually by design, as LLM messages are not rendered in Markdown. This is to prevent data exfiltration via third-party URLs. You can learn more about a variant of this attack here. We may explore formatting alternatives in the future that are safer.

Just curious, what OpenAI-compatible API provider and model are you using?

[rjbrown99]

Thanks, in my case I'm using it in the context of RAG and I'm asking my LLM to return the references to the source documents it used to prepare the response. Hence the need to surface web links. I can look it up myself - but if you happen to know where in the plugin that code is rendered I may fork it and manage my own change. It's easier to do that (and use the core Mattermost web + desktop + mobile apps) versus writing my own UI for it.

I wrote my own FastAPI-based API for it based loosely on this example:
https://towardsdatascience.com/how-to-build-an-openai-compatible-api-87c8edea2f06

That worked fairly well aside from two small issues with their sample code. See the comments on that page, "RB", for specifics. I had to cast the id to a string and the created field to an int, but otherwise it worked "out of the box" as a server-side example that can integrate with your plugin. Lines 35 and 37 of their example code.

Final note - because this is a private LLM that I wrote, I also have a lot more control over the end-to-end process than if I was just using OpenAI directly. I can intercept, modify, cleanse, and detect exfil attempts. Or just make sure the AI returns no markdown unless it comes from my own code. Perhaps an "ImAwareOfTheVulnerability" entry in config.json for those of us with expanded control? Or even limit markdown support to just OpenAI compatible APIs (and not OpenAI directly).

[crspeller]

@rjbrown99 If you are up to doing a contribution for a setting like that it would be appreciated. Maybe something like AllowInsecureMarkdown would be good?

Here is where we tell the webapp markdown handling to do this: https://github.com/mattermost/mattermost-plugin-ai/blob/master/webapp/src/components/post_text.tsx#L70

[rjbrown99]

Thanks, I'll look into that - first I'll see if I can come up with a diff that at least allows markdown to happen. Once that works we can figure out the UI bits, as I expect you will either want a big warning on it or else just make it a back-end only settings change.

[rjbrown99]

Interim update. After a stroll through both the plugin and Mattermost source code, it came back around to one simple change.

In webapp/src/components/post_text.tsx, there is a statement in markdownOptions that sets unsafeLinks to true. Changing that to false allows the URLs to be rendered as clickable links in the front-end UI.

    const markdownOptions = {
        singleline: false,
        mentionHighlight: true,
        atMentions: true,
        team,
        unsafeLinks: false,
        minimumHashtagLength: 1000000000,
        siteURL,
    };

I initially assumed that "unsafeLinks = true" meant that the code should render unsafe links, but it actually means the opposite. The two places that made this clear were in the Mattermost source code (look for unsafeLinks in both):

webapp/channels/src/utils/text_formatting.tsx
webapp/channels/src/utils/markdown/renderer.tsx

This comment in particular told the story: "If true, the renderer will assume links are not safe."

OK, so long walk through the code for a simple change. I'll look into how to set a configuration option for unsafeLinks that can toggle it from true to false.