fix(security): escape double quotes in esc() to prevent XSS (#3209)

OneStepAt4time · web-flow · commit 182c369f9859 · 2026-05-11T21:17:44.000+02:00
The esc() function in telegram-style.ts escaped &, <, > but not double quotes. When esc() output is interpolated into HTML attribute values (e.g. href="..."), unescaped quotes allow attribute injection (XSS). - Add .replace(/"/g, '&quot;') to esc() in telegram-style.ts - Mirror fix in test helper esc() functions - Add 2 new tests: double-quote escaping and combined HTML-special chars Closes #3209 CodeQL: security/code-scanning/142
diff --git a/src/__tests__/telegram-formatting.test.ts b/src/__tests__/telegram-formatting.test.ts
@@ -7,7 +7,7 @@ import { describe, it, expect } from 'vitest';
 // Test the formatting logic directly (these mirror the internal functions)
 
 function esc(text: string): string {
-  return text.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  return text.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
 }
 
 function truncate(text: string, maxLen: number): string {
@@ -164,6 +164,14 @@ describe('Telegram formatting (Issue #43)', () => {
     it('should handle empty string', () => {
       expect(esc('')).toBe('');
     });
+
+    it('should escape double quotes to prevent attribute injection', () => {
+      expect(esc('hello "world"')).toBe('hello &quot;world&quot;');
+    });
+
+    it('should escape all HTML-special characters together', () => {
+      expect(esc('<a href="x">&')).toBe('&lt;a href=&quot;x&quot;&gt;&amp;');
+    });
   });
 
   describe('Path shortening', () => {
diff --git a/src/__tests__/telegram-style.test.ts b/src/__tests__/telegram-style.test.ts
@@ -13,7 +13,7 @@ import { describe, it, expect } from 'vitest';
 
 // Re-implement formatting functions for testing (mirrors telegram.ts)
 function esc(text: string): string {
-  return text.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  return text.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
 }
 
 function truncate(text: string, maxLen: number): string {
diff --git a/src/channels/telegram-style.ts b/src/channels/telegram-style.ts
@@ -19,7 +19,8 @@ export function esc(text: string): string {
   return text
     .replace(/&/g, '&amp;')
     .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;');
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
 }
 
 export function bold(text: string): string {

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ import { describe, it, expect } from 'vitest';`
`13`	`13`
`14`	`14`	`// Re-implement formatting functions for testing (mirrors telegram.ts)`
`15`	`15`	`function esc(text: string): string {`
`16`		`- return text.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>');`
	`16`	`+ return text.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"');`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`function truncate(text: string, maxLen: number): string {`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,8 @@ export function esc(text: string): string {`
`19`	`19`	`return text`
`20`	`20`	`.replace(/&/g, '&')`
`21`	`21`	`.replace(/</g, '<')`
`22`		`- .replace(/>/g, '>');`
	`22`	`+ .replace(/>/g, '>')`
	`23`	`+ .replace(/"/g, '"');`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`export function bold(text: string): string {`