From 7cf0dec8c121a6b40011ed237e53a843619d0e51 Mon Sep 17 00:00:00 2001
From: FuturMix <dev@futurmix.ai>
Date: Sun, 14 Jun 2026 12:03:20 +0800
Subject: [PATCH] fix: escape URL in href attribute and display text in
 url-link-converter

The convertUrlsToLinks function places matched URLs directly into HTML
without escaping. While the regex excludes most HTML metacharacters,
the & character can appear in query strings and should be escaped as
&amp; for valid HTML. Apply escapeHtml() to both the href attribute
value and the display text for defense-in-depth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/lib/utils/url-link-converter.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/lib/utils/url-link-converter.js b/src/lib/utils/url-link-converter.js
index 94cbe77e..1eba59ee 100644
--- a/src/lib/utils/url-link-converter.js
+++ b/src/lib/utils/url-link-converter.js
@@ -62,9 +62,10 @@ export function convertUrlsToLinks(text) {
 		const beforeUrl = textWithPlaceholders.slice(lastIndex, match.index);
 		result += escapeHtml(beforeUrl);
 
-		// Add the URL as a clickable link
+		// Add the URL as a clickable link (escape in both href and display text)
 		const url = match[0];
-		result += `<a href="${url}" target="_blank" rel="noopener noreferrer">${url}</a>`;
+		const escapedUrl = escapeHtml(url);
+		result += `<a href="${escapedUrl}" target="_blank" rel="noopener noreferrer">${escapedUrl}</a>`;
 
 		lastIndex = httpsUrlRegex.lastIndex;
 	}