Update config.yaml

Add files via upload
2026-06-10 00:03:59 +02:00 · 2026-06-09 14:03:09 +08:00 · 2026-06-09 13:39:22 +08:00 · 2026-06-09 11:03:51 +08:00 · 2026-06-08 15:55:03 +08:00
9 changed files with 1136 additions and 36 deletions
@@ -190,13 +190,14 @@ The `run.sh` script will automatically:
     ```
   - Or edit `config.yaml` directly before launching
 2. **Login** - Use the auto-generated password shown in the console (or set `auth.password` in `config.yaml`)
-3. **Install security tools (optional)** - Install tools as needed:
+3. **Install security tools (optional)** - Install all tools declared under `tools/`:
   ```bash
-   # macOS
-   brew install nmap sqlmap nuclei httpx gobuster feroxbuster subfinder amass
-   # Ubuntu/Debian
-   sudo apt-get install nmap sqlmap nuclei httpx gobuster feroxbuster
+   ./install-tools.sh              # install missing tools (best on Kali/Debian/Ubuntu)
+   ./install-tools.sh --check      # check only, no install
+   ./install-tools.sh --list       # show per-tool status
+   ./install-tools.sh --only nmap,gau   # install selected tools only
   ```
+   On macOS, install bash 4+ via Homebrew first; without apt, the script falls back to pip/go/GitHub.
   AI automatically falls back to alternatives when a tool is missing.

 **Alternative Launch Methods:**
@@ -189,14 +189,15 @@ chmod +x run.sh && ./run.sh
     ```
   - 或启动前直接编辑 `config.yaml` 文件
 2. **登录系统** - 使用控制台显示的自动生成密码（或在 `config.yaml` 中设置 `auth.password`）
-3. **安装安全工具（可选）** - 按需安装所需工具：
+3. **安装安全工具（可选）** - 一键安装 `tools/` 目录声明的全部工具：
   ```bash
-   # macOS
-   brew install nmap sqlmap nuclei httpx gobuster feroxbuster subfinder amass
-   # Ubuntu/Debian
-   sudo apt-get install nmap sqlmap nuclei httpx gobuster feroxbuster
+   ./install-tools.sh              # 安装缺失工具 (Kali/Debian/Ubuntu 推荐)
+   ./install-tools.sh --check      # 仅检查, 不安装
+   ./install-tools.sh --list       # 列出各工具安装状态
+   ./install-tools.sh --only nmap,gau   # 只装指定工具
   ```
-   未安装的工具会自动跳过或改用替代方案。
+   macOS 自带 bash 3.2, 请用 `./install-tools.sh --install-bash --list` 自动安装 bash 4+; apt 不可用时会降级到 pip/go/GitHub。
+   未安装的工具在执行时会自动跳过或改用替代方案。

 **其他启动方式：**
 ```bash
@@ -10,7 +10,7 @@
 # ============================================

 # 前端显示的版本号（可选，不填则显示默认版本）
-version: "v1.6.32"
+version: "v1.6.33"
 # 服务器配置
 server:
  host: 0.0.0.0 # 监听地址，0.0.0.0 表示监听所有网络接口
@@ -39,9 +39,9 @@ parameters:
    default: true
  - name: "form_extraction"
    type: "bool"
-    description: "启用表单提取"
+    description: "启用表单提取（-fx / -form-extraction）"
    required: false
-    flag: "-forms"
+    flag: "-fx"
    format: "flag"
    default: true
  - name: "additional_args"
@@ -50,10 +50,10 @@ parameters:
      额外的Katana参数。用于传递未在参数列表中定义的Katana选项。

      **示例值：**
-      - "--headless": 使用无头浏览器
-      - "-f": 输出格式
-      - "-o output.txt": 输出到文件
-      - "-c": 并发数
+      - "-headless": 使用无头浏览器
+      - "-output-template '{{url}}'": 自定义输出格式
+      - "-output output.txt": 输出到文件
+      - "-c 20": 并发数

      **注意事项：**
      - 多个参数用空格分隔
@@ -68,9 +68,25 @@
        domPurifyHooksInstalled = true;
    }

+    /** 明显 Markdown 结构时，不应因零散 HTML 标签误判为整页 HTML */
+    function looksLikeMarkdown(src) {
+        const s = String(src);
+        return /^#{1,6}\s/m.test(s)
+            || /^\s*[-*+]\s/m.test(s)
+            || /^\s*\d+\.\s/m.test(s)
+            || /\*\*[^*\n]+\*\*/.test(s)
+            || /`[^`\n]+`/.test(s)
+            || /^```/m.test(s)
+            || /^\|.+\|/m.test(s)
+            || /^\s*>\s/m.test(s);
+    }
+
    /** 探测工具返回的整页 HTML，不宜当作富文本渲染 */
    function isHeavyRawHtml(src) {
        const s = String(src);
+        if (looksLikeMarkdown(s)) {
+            return false;
+        }
        if (/<!DOCTYPE\s+html/i.test(s) || /<\s*html\b/i.test(s)) {
            return true;
        }
@@ -81,6 +97,10 @@
        return tags != null && tags.length >= 8;
    }

+    function escapePlainTextAsHtml(text) {
+        return escapeHtmlLocal(text).replace(/\n/g, '<br>');
+    }
+
    function formatHtmlAsEscapedPre(text) {
        return '<pre class="tool-result sanitized-raw-html-fallback">' + escapeHtmlLocal(text) + '</pre>';
    }
@@ -115,6 +135,23 @@
     * @param {{ profile?: 'chat'|'timeline' }} [options]
     * @returns {string} 安全 HTML
     */
+    function buildRichHtmlFromSource(src) {
+        const hasHtmlTags = /<[a-z][\s\S]*>/i.test(src);
+        const preferMarkdown = typeof marked !== 'undefined'
+            && (looksLikeMarkdown(src) || !hasHtmlTags);
+
+        if (preferMarkdown) {
+            const parsed = parseMarkdownSrc(src);
+            if (parsed != null) {
+                return parsed;
+            }
+        }
+        if (hasHtmlTags) {
+            return src;
+        }
+        return escapePlainTextAsHtml(src);
+    }
+
    function formatMarkdownToHtml(text, options) {
        const profile = (options && options.profile === 'timeline') ? 'timeline' : 'chat';
        const src = normalizeSource(text);
@@ -124,24 +161,13 @@
        }

        if (typeof DOMPurify === 'undefined') {
-            return escapeHtmlLocal(src).replace(/\n/g, '<br>');
+            console.warn('DOMPurify 未加载，Markdown 已降级为纯文本渲染（已转义，防 XSS）');
+            return escapePlainTextAsHtml(src);
        }

        installDomPurifyHooks();
        const config = sanitizeConfigForProfile(profile);
-
-        let html;
-        const hasHtmlTags = /<[a-z][\s\S]*>/i.test(src);
-        if (typeof marked !== 'undefined' && !hasHtmlTags) {
-            const parsed = parseMarkdownSrc(src);
-            html = parsed != null ? parsed : escapeHtmlLocal(src).replace(/\n/g, '<br>');
-        } else if (hasHtmlTags) {
-            html = src;
-        } else {
-            html = escapeHtmlLocal(src).replace(/\n/g, '<br>');
-        }
-
-        return DOMPurify.sanitize(html, config);
+        return DOMPurify.sanitize(buildRichHtmlFromSource(src), config);
    }

    function sanitizeRichHtml(html, profile) {
@@ -171,6 +197,7 @@
        formatMarkdownToHtml: formatMarkdownToHtml,
        sanitizeRichHtml: sanitizeRichHtml,
        isHeavyRawHtml: isHeavyRawHtml,
+        looksLikeMarkdown: looksLikeMarkdown,
        escapeHtmlLocal: escapeHtmlLocal,
        stripSuspiciousImages: stripSuspiciousImages,
    };
@@ -3517,10 +3517,9 @@
        </div>
    </div>

-    <!-- Marked.js for Markdown parsing -->
-    <script src="https://cdn.jsdelivr.net/npm/marked@11.1.1/marked.min.js"></script>
-    <!-- DOMPurify for HTML sanitization to prevent XSS -->
-    <script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
+    <!-- Marked.js + DOMPurify：本地 vendor，避免 CDN 不可用导致 Markdown 降级为纯文本 -->
+    <script src="/static/vendor/marked.min.js"></script>
+    <script src="/static/vendor/purify.min.js"></script>
    <script src="/static/js/sanitize-markdown.js"></script>
    <!-- Cytoscape.js for attack chain visualization -->
    <script src="https://cdn.jsdelivr.net/npm/cytoscape@3.27.0/dist/cytoscape.min.js"></script>
Author	SHA1	Message	Date
公明	3123a07c48	Update config.yaml	2026-06-09 14:03:09 +08:00
公明	7b3d35fabe	Add files via upload	2026-06-09 13:39:22 +08:00
公明	cb17d3a5c1	Add files via upload	2026-06-09 11:03:51 +08:00
公明	c2892ccd33	Add files via upload	2026-06-08 15:55:03 +08:00