From 82c06e5c9cee30dcf626e24a344d3bebbfd40110 Mon Sep 17 00:00:00 2001 From: Saurabh Kumar Bajpai Date: Fri, 12 Jun 2026 19:10:12 +0530 Subject: [PATCH] fix: escape backticks in svg text --- lib/svg/generator.escapeXML.test.ts | 4 ++++ lib/svg/generator.test.ts | 5 ++++- lib/svg/generator.ts | 3 ++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/svg/generator.escapeXML.test.ts b/lib/svg/generator.escapeXML.test.ts index 9161bb336..3e982d858 100644 --- a/lib/svg/generator.escapeXML.test.ts +++ b/lib/svg/generator.escapeXML.test.ts @@ -16,6 +16,10 @@ describe('escapeXML', () => { expect(escapeXML('hello world')).toBe('hello world'); }); + it('should escape backticks to prevent attribute breakout', () => { + expect(escapeXML('label=`alert(1)`')).toBe('label=`alert(1)`'); + }); + it('should return an empty string unchanged', () => { expect(escapeXML('')).toBe(''); }); diff --git a/lib/svg/generator.test.ts b/lib/svg/generator.test.ts index 550a2a728..c9562f488 100644 --- a/lib/svg/generator.test.ts +++ b/lib/svg/generator.test.ts @@ -1529,9 +1529,12 @@ describe('escapeXML', () => { }); it('leaves a safe string unchanged', () => { - const safe = 'Hello World 123!@#%^*()_+-=[]{}|;:,./?`~'; + const safe = 'Hello World 123!@#%^*()_+-=[]{}|;:,./?~'; expect(escapeXML(safe)).toBe(safe); }); + it('escapes backticks in XML-sensitive strings', () => { + expect(escapeXML('onload=`alert(1)`')).toBe('onload=`alert(1)`'); + }); it('escapes script injection characters