Skip to content

Fix: escape URLs in url-link-converter HTML output#100

Closed
FuturMix wants to merge 1 commit into
profullstack:masterfrom
FuturMix:fix/url-link-converter-xss
Closed

Fix: escape URLs in url-link-converter HTML output#100
FuturMix wants to merge 1 commit into
profullstack:masterfrom
FuturMix:fix/url-link-converter-xss

Conversation

@FuturMix

@FuturMix FuturMix commented Jun 14, 2026

Copy link
Copy Markdown

Summary

Fixes #99

The convertUrlsToLinks function inserts matched URLs directly into HTML without escaping. URLs with & in query strings produce invalid HTML. This applies the existing escapeHtml() function to both the href attribute and display text.

Changes

  • src/lib/utils/url-link-converter.js: Pass URL through escapeHtml() before inserting into anchor tag

Test plan

  • Message containing https://example.com?a=1&b=2 renders as a valid clickable link
  • Message containing plain URLs still works correctly
  • Code blocks with URLs inside are still unaffected

🤖 Generated with Claude Code

@FuturMix @claude
fix: escape URL in href attribute and display text in url-link-converter
7cf0dec 
The convertUrlsToLinks function places matched URLs directly into HTML
without escaping. While the regex excludes most HTML metacharacters,
the & character can appear in query strings and should be escaped as
& for valid HTML. Apply escapeHtml() to both the href attribute
value and the display text for defense-in-depth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ralyodio ralyodio closed this Jun 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: URL not HTML-escaped in url-link-converter output

2 participants

@FuturMix @ralyodio