feat(web): add safe rich text formatting for message rendering

web/src/utils/formatMessage.tsx

@@ -0,0 +1,32 @@
+function escapeHtml(input: string): string {
+  return input
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
+function sanitizeHref(input: string): string {
+  const normalized = input.trim();
+  if (/^https?:\/\//i.test(normalized)) {
+    return normalized;
+  }
+  return "#";
+}
+
+export function formatMessageHtml(text: string): string {
+  let html = escapeHtml(text);
+
+  html = html.replace(/\[([^\]]+)\]\(([^)]+)\)/g, (_m, label: string, href: string) => {
+    const safeHref = sanitizeHref(href);
+    return `<a href="${safeHref}" target="_blank" rel="noreferrer" class="underline text-sky-300">${label}</a>`;
+  });
+  html = html.replace(/\*\*([^*]+)\*\*/g, "<strong>$1</strong>");
+  html = html.replace(/\*([^*]+)\*/g, "<em>$1</em>");
+  html = html.replace(/__([^_]+)__/g, "<u>$1</u>");
+  html = html.replace(/`([^`]+)`/g, "<code class=\"rounded bg-slate-700/60 px-1 py-0.5 text-[12px]\">$1</code>");
+  html = html.replace(/\|\|([^|]+)\|\|/g, "<span class=\"rounded bg-slate-700/80 px-1 text-transparent hover:text-inherit\">$1</span>");
+  html = html.replace(/\n/g, "<br/>");
+  return html;
+}