From 271e2276729e51ca087e8a51eaeb0a3597c3deb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=F0=9F=95=B7=EF=B8=8F?=
 <3756473+zendive@users.noreply.github.com>
Date: Mon, 3 Mar 2025 21:45:35 +0200
Subject: [PATCH] fix #383 XSS vulnerability in `HtmlFormatter::nodeBegin`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 🕷️ <3756473+zendive@users.noreply.github.com>
---
 packages/jsondiffpatch/src/formatters/html.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/jsondiffpatch/src/formatters/html.ts b/packages/jsondiffpatch/src/formatters/html.ts
index 36e4462e..5881761a 100644
--- a/packages/jsondiffpatch/src/formatters/html.ts
+++ b/packages/jsondiffpatch/src/formatters/html.ts
@@ -84,9 +84,10 @@ class HtmlFormatter extends BaseFormatter<HtmlFormatterContext> {
     const nodeClass = `jsondiffpatch-${type}${
       nodeType ? ` jsondiffpatch-child-node-type-${nodeType}` : ''
     }`;
+    const text = htmlEscape(String(leftKey));
     context.out(
-      `<li class="${nodeClass}" data-key="${leftKey}">` +
-        `<div class="jsondiffpatch-property-name">${leftKey}</div>`,
+      `<li class="${nodeClass}" data-key="${text}">` +
+        `<div class="jsondiffpatch-property-name">${text}</div>`,
     );
   }