From 8b856276bf20abcb694c68e438079092f81c3d4c Mon Sep 17 00:00:00 2001
From: Will Miao <willmiao.dev@gmail.com>
Date: Tue, 26 May 2026 21:55:44 +0800
Subject: [PATCH] fix(ui): escape HTML entities in parseMarkdown to prevent
 swallowed angle brackets

---
 static/js/managers/UpdateService.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/static/js/managers/UpdateService.js b/static/js/managers/UpdateService.js
index 674030c7..b1dfbcb6 100644
--- a/static/js/managers/UpdateService.js
+++ b/static/js/managers/UpdateService.js
@@ -731,9 +731,16 @@ export class UpdateService {
     }
     
     // Simple markdown parser for changelog items
+    // Simple markdown parser for changelog items
+    // Escape HTML entities first so angle brackets in content (e.g. `<lora:x>`)
+    // aren't swallowed by innerHTML's HTML parser as invalid tags
     parseMarkdown(text) {
         if (!text) return '';
         
+        text = text.replace(/&/g, '&amp;');
+        text = text.replace(/</g, '&lt;');
+        text = text.replace(/>/g, '&gt;');
+        
         // Handle bold text (**text**)
         text = text.replace(/\*\*(.*?)\*\*/g, '<strong>$1</strong>');