fix: escape HTML in image, link, and media components to prevent XSS vulnerabilities

sy-records · sy-records · commit fd795a2214e4 · 2026-04-09T12:10:57.000+08:00
diff --git a/src/core/render/compiler/image.js b/src/core/render/compiler/image.js
@@ -1,4 +1,4 @@
-import { getAndRemoveConfig } from '../utils.js';
+import { escapeHtml, getAndRemoveConfig } from '../utils.js';
 import { isAbsolutePath, getPath, getParentPath } from '../../router/util.js';
 
 export const imageCompiler = ({ renderer, contentBase, router }) =>
@@ -42,7 +42,7 @@ export const imageCompiler = ({ renderer, contentBase, router }) =>
       url = getPath(contentBase, getParentPath(router.getCurrentPath()), href);
     }
 
-    return /* html */ `<img src="${url}" data-origin="${href}" alt="${text}" ${attrs.join(
+    return /* html */ `<img src="${escapeHtml(url)}" data-origin="${escapeHtml(href)}" alt="${text}" ${attrs.join(
       ' ',
     )} />`;
   });
diff --git a/src/core/render/compiler/link.js b/src/core/render/compiler/link.js
@@ -1,4 +1,4 @@
-import { getAndRemoveConfig } from '../utils.js';
+import { escapeHtml, getAndRemoveConfig } from '../utils.js';
 import { isAbsolutePath } from '../../router/util.js';
 
 export const linkCompiler = ({
@@ -68,5 +68,5 @@ export const linkCompiler = ({
       attrs.push(`title="${title}"`);
     }
 
-    return /* html */ `<a href="${href}" ${attrs.join(' ')}>${text}</a>`;
+    return /* html */ `<a href="${escapeHtml(href)}" ${attrs.join(' ')}>${text}</a>`;
   });
diff --git a/src/core/render/compiler/media.js b/src/core/render/compiler/media.js
@@ -1,3 +1,5 @@
+import { escapeHtml } from '../utils';
+
 export const compileMedia = {
   markdown(url) {
     return {
@@ -11,19 +13,19 @@ export const compileMedia = {
   },
   iframe(url, title) {
     return {
-      html: `<iframe src="${url}" ${
+      html: `<iframe src="${escapeHtml(url)}" ${
         title || 'width=100% height=400'
       }></iframe>`,
     };
   },
   video(url, title) {
     return {
-      html: `<video src="${url}" ${title || 'controls'}>Not Supported</video>`,
+      html: `<video src="${escapeHtml(url)}" ${title || 'controls'}>Not Supported</video>`,
     };
   },
   audio(url, title) {
     return {
-      html: `<audio src="${url}" ${title || 'controls'}>Not Supported</audio>`,
+      html: `<audio src="${escapeHtml(url)}" ${title || 'controls'}>Not Supported</audio>`,
     };
   },
   code(url, title) {
