`), but before the paragraph-wrapping stage.
+ - The same autolink pass is applied inside `inlineMd()` so URLs in list items, blockquotes, and table cells are linked too.
+ - Trailing punctuation (`.`, `,`, `;`, `:`, `!`, `?`, `)`) is stripped from the end of URLs to avoid linking sentence-ending characters.
+ - URLs are passed through `esc()` before placement in `href` and link text — no XSS risk.
+ - 7 new structural tests in `tests/test_issue342.py`; 809 tests total (up from 802)
+
## [v0.50.10] Title auto-generation fix + mobile close button (PR #333)
- **Session title now auto-generates for all default title values** (`'Untitled'`, `'New Chat'`, empty string): The condition in `api/streaming.py` that triggers `title_from()` previously only matched `'Untitled'`. It now also covers `'New Chat'` (used by some external clients/forks) and any empty/falsy title, so sessions started from those states get a proper auto-generated title after the first message.
diff --git a/static/ui.js b/static/ui.js
index 11a8ec5..a0caab0 100644
--- a/static/ui.js
+++ b/static/ui.js
@@ -331,6 +331,7 @@ function renderMd(raw){
t=t.replace(/\*([^*\n]+)\*/g,(_,x)=>`${esc(x)}`);
t=t.replace(/`([^`\n]+)`/g,(_,x)=>`${esc(x)}`);
t=t.replace(/\[([^\]]+)\]\((https?:\/\/[^\)]+)\)/g,(_,lb,u)=>`${esc(lb)}`);
+ t=t.replace(/(https?:\/\/[^\s<>"')\]]+)/g,(url)=>{const trail=url.match(/[.,;:!?)]$/)?url.slice(-1):'';const clean=trail?url.slice(0,-1):url;return `${esc(clean)}${trail}`;});
// Escape any plain text that isn't already wrapped in a tag we produced
// by escaping bare < > that aren't part of our own tags
const SAFE_INLINE=/^<\/?(strong|em|code|a)([\s>]|$)/i;
@@ -383,6 +384,13 @@ function renderMd(raw){
// (mermaid/pre-header). Everything else is untrusted input.
const SAFE_TAGS=/^<\/?(strong|em|code|pre|h[1-6]|ul|ol|li|table|thead|tbody|tr|th|td|hr|blockquote|p|br|a|div)([\s>]|$)/i;
s=s.replace(/<\/?[a-z][^>]*>/gi,tag=>SAFE_TAGS.test(tag)?tag:esc(tag));
+ // Autolink: convert plain URLs to clickable links (not inside existing tags, not in code)
+ s=s.replace(/(https?:\/\/[^\s<>"')\]]+)/g,(url)=>{
+ // Strip trailing punctuation that was likely not part of the URL
+ const trail=url.match(/[.,;:!?)]$/)?url.slice(-1):'';
+ const clean=trail?url.slice(0,-1):url;
+ return `${esc(clean)}${trail}`;
+ });
const parts=s.split(/\n{2,}/);
s=parts.map(p=>{p=p.trim();if(!p)return '';if(/^<(h[1-6]|ul|ol|pre|hr|blockquote)/.test(p))return p;return `${p.replace(/\n/g,'
')}
`;}).join('\n');
return s;
diff --git a/tests/test_issue342.py b/tests/test_issue342.py
new file mode 100644
index 0000000..d095c79
--- /dev/null
+++ b/tests/test_issue342.py
@@ -0,0 +1,115 @@
+"""
+Tests for GitHub issue #342: auto-link plain URLs in chat messages.
+
+These are structural tests that verify the fix is present in static/ui.js
+without requiring a running server or JavaScript engine.
+"""
+import os
+import re
+
+UI_JS = os.path.join(os.path.dirname(__file__), '..', 'static', 'ui.js')
+
+
+def read_ui_js():
+ with open(UI_JS, 'r') as f:
+ return f.read()
+
+
+def test_autolink_comment_present():
+ """The Autolink comment should be present in renderMd() to document the feature."""
+ content = read_ui_js()
+ assert 'Autolink: convert plain URLs' in content, (
+ "Expected 'Autolink: convert plain URLs' comment not found in static/ui.js. "
+ "Did the autolink pass get added?"
+ )
+
+
+def test_autolink_regex_in_rendermd():
+ """The autolink regex pattern (https?://) should appear in renderMd()."""
+ content = read_ui_js()
+ # Locate the renderMd function body
+ rendermd_start = content.find('function renderMd(raw){')
+ assert rendermd_start != -1, "renderMd function not found in ui.js"
+ # Find the closing brace after renderMd (look for the autolink pattern within it)
+ rendermd_body = content[rendermd_start:rendermd_start + 5000]
+ assert 'https?:\\/\\/' in rendermd_body, (
+ "Autolink regex (https?:\\/\\/) not found inside renderMd() body."
+ )
+
+
+def test_autolink_uses_esc_for_xss_safety():
+ """The autolink code must use esc() to escape URLs, preventing XSS."""
+ content = read_ui_js()
+ # Find the autolink section (between the SAFE_TAGS pass and paragraph wrap)
+ autolink_idx = content.find('// Autolink: convert plain URLs')
+ assert autolink_idx != -1, "Autolink comment not found in ui.js"
+ # Extract the autolink block (next ~300 chars after the comment)
+ autolink_block = content[autolink_idx:autolink_idx + 400]
+ assert 'esc(clean)' in autolink_block, (
+ "Autolink block should use esc(clean) for XSS-safe URL escaping, but it was not found."
+ )
+
+
+def test_autolink_in_inline_md():
+ """The autolink pass should also be present inside the inlineMd() helper."""
+ content = read_ui_js()
+ # Find inlineMd function
+ inline_start = content.find('function inlineMd(t){')
+ assert inline_start != -1, "inlineMd function not found in ui.js"
+ # Find closing brace of inlineMd by looking for 'return t;' followed by '}'
+ inline_end = content.find('return t;\n }', inline_start)
+ assert inline_end != -1, "Could not locate end of inlineMd function"
+ inline_body = content[inline_start:inline_end + 20]
+ assert 'https?:\\/\\/' in inline_body, (
+ "Autolink regex not found inside inlineMd() — plain URLs in list items "
+ "and blockquotes won't be autolinked."
+ )
+
+
+def test_autolink_after_safe_tags_pass():
+ """The autolink pass must come AFTER the SAFE_TAGS escape pass (ordering matters)."""
+ content = read_ui_js()
+ safe_tags_idx = content.find('s=s.replace(/<\\/?[a-z][^>]*>/gi,tag=>SAFE_TAGS.test(tag)?tag:esc(tag));')
+ autolink_idx = content.find('// Autolink: convert plain URLs')
+ parts_idx = content.find('const parts=s.split(/\\n{2,}/);')
+ assert safe_tags_idx != -1, "SAFE_TAGS pass not found"
+ assert autolink_idx != -1, "Autolink pass not found"
+ assert parts_idx != -1, "Paragraph-wrap parts line not found"
+ assert safe_tags_idx < autolink_idx < parts_idx, (
+ f"Ordering wrong: SAFE_TAGS at {safe_tags_idx}, autolink at {autolink_idx}, "
+ f"parts (paragraph wrap) at {parts_idx}. "
+ "Autolink must come between SAFE_TAGS pass and paragraph wrap."
+ )
+
+
+def test_autolink_target_blank_and_rel():
+ """Autolinked URLs should open in a new tab with rel=noopener for security."""
+ content = read_ui_js()
+ autolink_idx = content.find('// Autolink: convert plain URLs')
+ assert autolink_idx != -1, "Autolink comment not found"
+ autolink_block = content[autolink_idx:autolink_idx + 400]
+ assert 'target="_blank"' in autolink_block, (
+ "Autolinked URLs should have target=\"_blank\""
+ )
+ assert 'rel="noopener"' in autolink_block, (
+ "Autolinked URLs should have rel=\"noopener\" for security"
+ )
+
+
+def test_safe_tags_includes_anchor():
+ """SAFE_TAGS regex must include 'a' so tags from autolink are not escaped."""
+ content = read_ui_js()
+ # Find the SAFE_TAGS definition line — the pattern contains slashes so we
+ # search for the line directly rather than extracting the regex literal.
+ safe_tags_line = None
+ for line in content.splitlines():
+ if 'const SAFE_TAGS=' in line:
+ safe_tags_line = line
+ break
+ assert safe_tags_line is not None, "SAFE_TAGS const definition not found in ui.js"
+ # The pattern should include 'a' as a tag alternative (e.g. |a|)
+ assert '|a|' in safe_tags_line or '|a)' in safe_tags_line, (
+ f"SAFE_TAGS line does not include 'a' tag — "
+ " tags emitted by autolink would be escaped!\n"
+ f"Line: {safe_tags_line}"
+ )