feat: apply markdown rendering to HITL email, sanitize email subject and body (#32305)

This PR: 1. Fixes the bug that email body of `HumanInput` node are sent as-is, without markdown rendering or sanitization 2. Applies HTML sanitization to email subject and body 3. Removes `\r` and `\n` from email subject to prevent SMTP header injection Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: QuantumGhost <obelisk.reg+git@gmail.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-04-05 10:12:43 +08:00 · 2026-03-16 16:52:46 +08:00
parent 4822d550b6
commit 57d476d4e2
8 changed files with 229 additions and 9 deletions
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -40,7 +40,7 @@ dependencies = [
    "numpy~=1.26.4",
    "openpyxl~=3.1.5",
    "opik~=1.10.37",
-    "litellm==1.82.2",                                  # Pinned to avoid madoka dependency issue
+    "litellm==1.82.2",                                    # Pinned to avoid madoka dependency issue
    "opentelemetry-api==1.28.0",
    "opentelemetry-distro==0.49b0",
    "opentelemetry-exporter-otlp==1.28.0",
@@ -91,6 +91,7 @@ dependencies = [
    "apscheduler>=3.11.0",
    "weave>=0.52.16",
    "fastopenapi[flask]>=0.7.0",
+    "bleach~=6.2.0",
 ]
 # Before adding new dependency, consider place it in
 # alphabet order (a-z) and suitable group.
@@ -251,10 +252,7 @@ ignore_errors = true

 [tool.pyrefly]
 project-includes = ["."]
-project-excludes = [
-    ".venv",
-    "migrations/",
-]
+project-excludes = [".venv", "migrations/"]
 python-platform = "linux"
 python-version = "3.11.0"
 infer-with-first-use = false