fix: html escaping for console page

bajrangCoder · bajrangCoder · commit 02da1986aead · 2025-07-05T15:07:02.000+05:30
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -119,4 +119,4 @@
     "yargs": "^17.7.2"
   },
   "browserslist": "cover 100%,not android < 5"
-}
+}
diff --git a/src/lib/console.js b/src/lib/console.js
@@ -468,7 +468,7 @@ import loadPolyFill from "utils/polyfill";
 						);
 						break;
 					default:
-						$msg.innerHTML = arg;
+						$msg.textContent = arg;
 						break;
 				}
 			}
@@ -494,7 +494,7 @@ import loadPolyFill from "utils/polyfill";
 	 * @returns
 	 */
 	function format(args) {
-		if (args.length <= 1) return [escapeHTML(args[0])];
+		if (args.length <= 1) return [args[0]];
 
 		const originalArgs = [].concat(args);
 		const styles = [];
@@ -548,8 +548,10 @@ import loadPolyFill from "utils/polyfill";
 						break;
 				}
 			}
-			msg = msg.substring(0, pos) + escapeHTML(value) + msg.substring(pos + 2);
-			matched = matchRegex(msg);
+			// Only escape HTML for the %o/%O case where we're injecting actual HTML
+        const escapedValue = specifier === "%o" || specifier === "%O" ? value : escapeHTML(value);
+        msg = msg.substring(0, pos) + escapedValue + msg.substring(pos + 2);
+        matched = matchRegex(msg);
 		}
 
 		if (styles.length) {

Original file line number	Diff line number	Diff line change
`@@ -468,7 +468,7 @@ import loadPolyFill from "utils/polyfill";`
`468`	`468`	`);`
`469`	`469`	`break;`
`470`	`470`	`default:`
`471`		`- $msg.innerHTML = arg;`
	`471`	`+ $msg.textContent = arg;`
`472`	`472`	`break;`
`473`	`473`	`}`
`474`	`474`	`}`
`@@ -494,7 +494,7 @@ import loadPolyFill from "utils/polyfill";`
`494`	`494`	`* @returns`
`495`	`495`	`*/`
`496`	`496`	`function format(args) {`
`497`		`- if (args.length <= 1) return [escapeHTML(args[0])];`
	`497`	`+ if (args.length <= 1) return [args[0]];`
`498`	`498`
`499`	`499`	`const originalArgs = [].concat(args);`
`500`	`500`	`const styles = [];`
`@@ -548,8 +548,10 @@ import loadPolyFill from "utils/polyfill";`
`548`	`548`	`break;`
`549`	`549`	`}`
`550`	`550`	`}`
`551`		`- msg = msg.substring(0, pos) + escapeHTML(value) + msg.substring(pos + 2);`
`552`		`- matched = matchRegex(msg);`
	`551`	`+ // Only escape HTML for the %o/%O case where we're injecting actual HTML`
	`552`	`+ const escapedValue = specifier === "%o" \|\| specifier === "%O" ? value : escapeHTML(value);`
	`553`	`+ msg = msg.substring(0, pos) + escapedValue + msg.substring(pos + 2);`
	`554`	`+ matched = matchRegex(msg);`
`553`	`555`	`}`
`554`	`556`
`555`	`557`	`if (styles.length) {`