Summary
In src/lib/utils/url-link-converter.js, the convertUrlsToLinks function places matched URLs directly into HTML anchor tags without escaping (line 67). While the URL regex excludes ", <, > characters, the & character can appear in URL query strings (e.g., https://example.com?a=1&b=2) and is not escaped to &, producing invalid HTML.
Impact
- URLs with
& in query strings produce invalid HTML entities
- The
escapeHtml function exists and is used for surrounding text, but is not applied to the URL itself — inconsistent defense
- If the regex is ever relaxed, this becomes a direct XSS vector
Fix
Apply escapeHtml() to the URL in both the href attribute and display text.
Summary
In
src/lib/utils/url-link-converter.js, theconvertUrlsToLinksfunction places matched URLs directly into HTML anchor tags without escaping (line 67). While the URL regex excludes",<,>characters, the&character can appear in URL query strings (e.g.,https://example.com?a=1&b=2) and is not escaped to&, producing invalid HTML.Impact
&in query strings produce invalid HTML entitiesescapeHtmlfunction exists and is used for surrounding text, but is not applied to the URL itself — inconsistent defenseFix
Apply
escapeHtml()to the URL in both thehrefattribute and display text.