Update config.yaml

README.md

@@ -190,13 +190,14 @@ The `run.sh` script will automatically:
      ```
    - Or edit `config.yaml` directly before launching
 2. **Login** - Use the auto-generated password shown in the console (or set `auth.password` in `config.yaml`)
-3. **Install security tools (optional)** - Install tools as needed:
+3. **Install security tools (optional)** - Install all tools declared under `tools/`:
    ```bash
-   # macOS
+   ./install-tools.sh              # install missing tools (best on Kali/Debian/Ubuntu)
-   brew install nmap sqlmap nuclei httpx gobuster feroxbuster subfinder amass
+   ./install-tools.sh --check      # check only, no install
-   # Ubuntu/Debian
+   ./install-tools.sh --list       # show per-tool status
-   sudo apt-get install nmap sqlmap nuclei httpx gobuster feroxbuster
+   ./install-tools.sh --only nmap,gau   # install selected tools only
    ```
+   On macOS, install bash 4+ via Homebrew first; without apt, the script falls back to pip/go/GitHub.
    AI automatically falls back to alternatives when a tool is missing.
 
 **Alternative Launch Methods:**

README_CN.md

@@ -189,14 +189,15 @@ chmod +x run.sh && ./run.sh
      ```
    - 或启动前直接编辑 `config.yaml` 文件
 2. **登录系统** - 使用控制台显示的自动生成密码（或在 `config.yaml` 中设置 `auth.password`）
-3. **安装安全工具（可选）** - 按需安装所需工具：
+3. **安装安全工具（可选）** - 一键安装 `tools/` 目录声明的全部工具：
    ```bash
-   # macOS
+   ./install-tools.sh              # 安装缺失工具 (Kali/Debian/Ubuntu 推荐)
-   brew install nmap sqlmap nuclei httpx gobuster feroxbuster subfinder amass
+   ./install-tools.sh --check      # 仅检查, 不安装
-   # Ubuntu/Debian
+   ./install-tools.sh --list       # 列出各工具安装状态
-   sudo apt-get install nmap sqlmap nuclei httpx gobuster feroxbuster
+   ./install-tools.sh --only nmap,gau   # 只装指定工具
    ```
-   未安装的工具会自动跳过或改用替代方案。
+   macOS 自带 bash 3.2, 请用 `./install-tools.sh --install-bash --list` 自动安装 bash 4+; apt 不可用时会降级到 pip/go/GitHub。
+   未安装的工具在执行时会自动跳过或改用替代方案。
 
 **其他启动方式：**
 ```bash

config.yaml

@@ -10,7 +10,7 @@
 # ============================================
 
 # 前端显示的版本号（可选，不填则显示默认版本）
-version: "v1.6.32"
+version: "v1.6.33"
 # 服务器配置
 server:
   host: 0.0.0.0 # 监听地址，0.0.0.0 表示监听所有网络接口

tools/katana.yaml

@@ -39,9 +39,9 @@ parameters:
     default: true
   - name: "form_extraction"
     type: "bool"
-    description: "启用表单提取"
+    description: "启用表单提取（-fx / -form-extraction）"
     required: false
-    flag: "-forms"
+    flag: "-fx"
     format: "flag"
     default: true
   - name: "additional_args"
@@ -50,10 +50,10 @@ parameters:
       额外的Katana参数。用于传递未在参数列表中定义的Katana选项。
 
       **示例值：**
-      - "--headless": 使用无头浏览器
+      - "-headless": 使用无头浏览器
-      - "-f": 输出格式
+      - "-output-template '{{url}}'": 自定义输出格式
-      - "-o output.txt": 输出到文件
+      - "-output output.txt": 输出到文件
-      - "-c": 并发数
+      - "-c 20": 并发数
 
       **注意事项：**
       - 多个参数用空格分隔

web/static/js/sanitize-markdown.js

@@ -68,9 +68,25 @@
         domPurifyHooksInstalled = true;
     }
 
+    /** 明显 Markdown 结构时，不应因零散 HTML 标签误判为整页 HTML */
+    function looksLikeMarkdown(src) {
+        const s = String(src);
+        return /^#{1,6}\s/m.test(s)
+            || /^\s*[-*+]\s/m.test(s)
+            || /^\s*\d+\.\s/m.test(s)
+            || /\*\*[^*\n]+\*\*/.test(s)
+            || /`[^`\n]+`/.test(s)
+            || /^```/m.test(s)
+            || /^\|.+\|/m.test(s)
+            || /^\s*>\s/m.test(s);
+    }
+
     /** 探测工具返回的整页 HTML，不宜当作富文本渲染 */
     function isHeavyRawHtml(src) {
         const s = String(src);
+        if (looksLikeMarkdown(s)) {
+            return false;
+        }
         if (/<!DOCTYPE\s+html/i.test(s) || /<\s*html\b/i.test(s)) {
             return true;
         }
@@ -81,6 +97,10 @@
         return tags != null && tags.length >= 8;
     }
 
+    function escapePlainTextAsHtml(text) {
+        return escapeHtmlLocal(text).replace(/\n/g, '<br>');
+    }
+
     function formatHtmlAsEscapedPre(text) {
         return '<pre class="tool-result sanitized-raw-html-fallback">' + escapeHtmlLocal(text) + '</pre>';
     }
@@ -115,6 +135,23 @@
      * @param {{ profile?: 'chat'|'timeline' }} [options]
      * @returns {string} 安全 HTML
      */
+    function buildRichHtmlFromSource(src) {
+        const hasHtmlTags = /<[a-z][\s\S]*>/i.test(src);
+        const preferMarkdown = typeof marked !== 'undefined'
+            && (looksLikeMarkdown(src) || !hasHtmlTags);
+
+        if (preferMarkdown) {
+            const parsed = parseMarkdownSrc(src);
+            if (parsed != null) {
+                return parsed;
+            }
+        }
+        if (hasHtmlTags) {
+            return src;
+        }
+        return escapePlainTextAsHtml(src);
+    }
+
     function formatMarkdownToHtml(text, options) {
         const profile = (options && options.profile === 'timeline') ? 'timeline' : 'chat';
         const src = normalizeSource(text);
@@ -124,24 +161,13 @@
         }
 
         if (typeof DOMPurify === 'undefined') {
-            return escapeHtmlLocal(src).replace(/\n/g, '<br>');
+            console.warn('DOMPurify 未加载，Markdown 已降级为纯文本渲染（已转义，防 XSS）');
+            return escapePlainTextAsHtml(src);
         }
 
         installDomPurifyHooks();
         const config = sanitizeConfigForProfile(profile);
-
+        return DOMPurify.sanitize(buildRichHtmlFromSource(src), config);
-        let html;
-        const hasHtmlTags = /<[a-z][\s\S]*>/i.test(src);
-        if (typeof marked !== 'undefined' && !hasHtmlTags) {
-            const parsed = parseMarkdownSrc(src);
-            html = parsed != null ? parsed : escapeHtmlLocal(src).replace(/\n/g, '<br>');
-        } else if (hasHtmlTags) {
-            html = src;
-        } else {
-            html = escapeHtmlLocal(src).replace(/\n/g, '<br>');
-        }
-
-        return DOMPurify.sanitize(html, config);
     }
 
     function sanitizeRichHtml(html, profile) {
@@ -171,6 +197,7 @@
         formatMarkdownToHtml: formatMarkdownToHtml,
         sanitizeRichHtml: sanitizeRichHtml,
         isHeavyRawHtml: isHeavyRawHtml,
+        looksLikeMarkdown: looksLikeMarkdown,
         escapeHtmlLocal: escapeHtmlLocal,
         stripSuspiciousImages: stripSuspiciousImages,
     };

web/templates/index.html

@@ -3517,10 +3517,9 @@
         </div>
     </div>
 
-    <!-- Marked.js for Markdown parsing -->
+    <!-- Marked.js + DOMPurify：本地 vendor，避免 CDN 不可用导致 Markdown 降级为纯文本 -->
-    <script src="https://cdn.jsdelivr.net/npm/marked@11.1.1/marked.min.js"></script>
+    <script src="/static/vendor/marked.min.js"></script>
-    <!-- DOMPurify for HTML sanitization to prevent XSS -->
+    <script src="/static/vendor/purify.min.js"></script>
-    <script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
     <script src="/static/js/sanitize-markdown.js"></script>
     <!-- Cytoscape.js for attack chain visualization -->
     <script src="https://cdn.jsdelivr.net/npm/cytoscape@3.27.0/dist/cytoscape.min.js"></script>