Fix double-unescaping in decodeEntities (CodeQL alert #32) (#1757)

Copilot · github-actions[bot] · aaronpowell · web-flow · commit 25f213ca53a0 · 2026-05-19T12:21:07.000+10:00
* chore: publish from staged * Initial plan * Fix double-unescaping in decodeEntities (alert #32) Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
diff --git a/skills/md-to-docx/scripts/md-to-docx.mjs b/skills/md-to-docx/scripts/md-to-docx.mjs
@@ -93,8 +93,9 @@ const tableBorders = {
 // --- Utility: decode HTML entities ---
 function decodeEntities(str) {
   return str
-    .replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">")
-    .replace(/&quot;/g, '"').replace(/&#39;/g, "'");
+    .replace(/&lt;/g, "<").replace(/&gt;/g, ">")
+    .replace(/&quot;/g, '"').replace(/&#39;/g, "'")
+    .replace(/&amp;/g, "&");
 }
 
 // --- Inline tokens to TextRun[] ---
