diff --git a/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/Chartable/index.jsx b/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/Chartable/index.jsx
index aab732c9..6fad5833 100644
--- a/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/Chartable/index.jsx
+++ b/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/Chartable/index.jsx
@@ -31,6 +31,7 @@ import CustomCell from "./CustomCell.jsx";
 import Tooltip from "./CustomTooltip.jsx";
 import { safeJsonParse } from "@/utils/request.js";
 import renderMarkdown from "@/utils/chat/markdown.js";
+import DOMPurify from "dompurify";
 import { memo, useCallback, useState } from "react";
 import { saveAs } from "file-saver";
 import { useGenerateImage } from "recharts-to-png";
@@ -394,7 +395,7 @@ export function Chartable({ props }) {
             <span
               className="flex flex-col gap-y-1 mt-2"
               dangerouslySetInnerHTML={{
-                __html: renderMarkdown(content.caption),
+                __html: DOMPurify.sanitize(renderMarkdown(content.caption)),
               }}
             />
           </div>
@@ -413,7 +414,7 @@ export function Chartable({ props }) {
         <span
           className="flex flex-col gap-y-1 mt-2"
           dangerouslySetInnerHTML={{
-            __html: renderMarkdown(content.caption),
+            __html: DOMPurify.sanitize(renderMarkdown(content.caption)),
           }}
         />
       </div>
diff --git a/frontend/src/utils/chat/markdown.js b/frontend/src/utils/chat/markdown.js
index f7affa18..f6748c80 100644
--- a/frontend/src/utils/chat/markdown.js
+++ b/frontend/src/utils/chat/markdown.js
@@ -63,7 +63,7 @@ markdown.renderer.rules.strong_close = () => "</strong>";
 markdown.renderer.rules.link_open = (tokens, idx) => {
   const token = tokens[idx];
   const href = token.attrs.find((attr) => attr[0] === "href");
-  return `<a href="${href[1]}" target="_blank" rel="noopener noreferrer">`;
+  return `<a href="${HTMLEncode(href[1])}" target="_blank" rel="noopener noreferrer">`;
 };
 
 // Custom renderer for responsive images rendered in markdown
@@ -73,7 +73,7 @@ markdown.renderer.rules.image = function (tokens, idx) {
   const src = token.attrs[srcIndex][1];
   const alt = token.content || "";
 
-  return `<div class="w-full max-w-[800px]"><img src="${src}" alt="${alt}" class="w-full h-auto" /></div>`;
+  return `<div class="w-full max-w-[800px]"><img src="${HTMLEncode(src)}" alt="${HTMLEncode(alt)}" class="w-full h-auto" /></div>`;
 };
 
 markdown.use(markdownItKatexPlugin);