Security: Potential XSS via unsanitized HTML in WebUI

Description

User-supplied bot_name and bot_description values are interpolated directly into raw HTML in qwen_agent/gui/gradio_utils.py (lines 75-79) without any escaping or sanitization:

<div class="bot_name">{bot_name}</div>
<div class="bot_desp">{bot_description}</div>

Reproduction

Create an agent with a malicious name:

from qwen_agent.gui import WebUI

bot = Assistant(
    llm=llm_cfg,
    name='<img src=x onerror="alert(document.cookie)">',
    description='<script>alert("XSS")</script>'
)
WebUI(bot).run()

Open the Gradio UI — the injected HTML/JS will execute in the browser context.

Impact

An attacker who controls agent configuration (e.g., via a shared config file, API input, or MCP server) can inject arbitrary JavaScript into the WebUI
This could lead to session hijacking, credential theft, or UI manipulation
Particularly relevant in multi-user or shared deployment scenarios

Affected File

qwen_agent/gui/gradio_utils.py, lines 75-79

Severity

Medium — requires attacker control over agent configuration, but exploitation is trivial once that condition is met.