fix(converter): escape XML entities in OPC attribute values on export (SD-2888)

[tupizz]

Summary

• Fix unescaped & in word/_rels/document.xml.rels that caused Word to show "unreadable content" on opening exported DOCX files. Linear: SD-2888
• Add a shared serializeOpcXml helper that escapes &, <, > in OPC attribute values so xml-js's js2xml round-trips entities correctly
• Route both reconcile-document-relationships and sync-package-metadata through it (closes the same latent bug for _rels/.rels and [Content_Types].xml)

Root cause

xml-js's xml2js decodes & → & in attribute values; js2xml does not re-escape on output. When reconcileDocumentRelationships rewrites word/_rels/document.xml.rels (e.g. to add the managed numbering relationship), every existing hyperlink Target containing & is emitted with a bare &, producing malformed XML. Word's repair-on-open then applies default fonts (Times New Roman → Aptos), table cell widths, and paragraph spacing, which look like unrelated regressions but are downstream effects of the same root cause.

The trick in the helper: xml-js calls attributeValueFn with the value after pre-escaping " to ". A naïve & → & would double-escape that token. The helper pivots " through a placeholder, escapes &/</>, then restores ".

Files changed

• new packages/super-editor/src/editors/v1/core/opc/xml-serialization.js (helper)
• new packages/super-editor/src/editors/v1/core/opc/xml-serialization.test.js (5 unit tests)
• reconcile-document-relationships.js — call site swap
• reconcile-document-relationships.test.js — 2 SD-2888 regression tests
• sync-package-metadata.js — call site swap

Test plan

• pnpm --filter super-editor test (all 12,367 tests pass; 7 new)
• OPC suite: npx vitest run src/editors/v1/core/opc (43/43 pass)
• End-to-end browser repro: upload SD-2888 input.docx → editor.exportDocx() → unzip → verify word/_rels/document.xml.rels contains &companyId (3×, matching rId8/9/10 in the bug) and zero bare &companyId
• Validate every XML file in the exported package (16 files) parses as well-formed
• Open the exported file in Microsoft Word and confirm no "unreadable content" repair prompt appears
• Confirm font (Times New Roman), table widths, and 1.0 line spacing are preserved when opening in Word

[linear]

SD-2888 BUG: Unescaped ampersand in DOCX export causes unreadable content

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[caio-pizzol]

hey @tupizz! good call centralizing this in serializeOpcXml :)

i pushed a behavior test that exercises the export path against a Word-authored fixture - catches the bare-& regression at the integration level (the unit tests cover the helper directly).

lgtm.

[superdoc-bot]

🎉 This PR is included in @superdoc-dev/mcp v0.3.0-next.63

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in @superdoc-dev/react v1.2.0-next.105

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in superdoc-cli v0.8.0-next.79

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in vscode-ext v2.3.0-next.107

[superdoc-bot]

🎉 This PR is included in superdoc v1.30.0-next.61

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in superdoc-sdk v1.8.0-next.61

[superdoc-bot]

🎉 This PR is included in superdoc-cli v0.9.0

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in superdoc v1.32.0

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in @superdoc-dev/mcp v0.4.0

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in @superdoc-dev/react v1.3.0

The release is available on GitHub release

[superdoc-bot]

🎉 This PR is included in vscode-ext v2.4.0