Skip to content

fix: encode special characters in HTMLElement textContent setter#312

Open
spokodev wants to merge 1 commit into
taoqf:mainfrom
spokodev:fix/textcontent-encode-special-chars
Open

fix: encode special characters in HTMLElement textContent setter#312
spokodev wants to merge 1 commit into
taoqf:mainfrom
spokodev:fix/textcontent-encode-special-chars

Conversation

@spokodev

@spokodev spokodev commented Jul 8, 2026

Copy link
Copy Markdown

The HTMLElement.textContent setter stored the raw string in a text node without escaping, so special characters were re-interpreted as markup:

el.textContent = '<b>Tom & Jerry</b>';
el.innerHTML // '<b>Tom & Jerry</b>'  (expected the escaped text)

el.textContent = '<script>alert(1)</script>'; // re-parses into a real <script> element

The base Node.textContent setter already encodes the value (cb11eab); the HTMLElement override was missed. Encode the value before storing it.

The HTMLElement textContent setter stored the raw string in a TextNode
without escaping, so setting textContent to a value containing '<', '>'
or '&' produced markup that was re-interpreted as HTML on serialization
and re-parsing (e.g. textContent = '<script>...' yielded a real <script>
child). The base Node textContent setter already encodes via entities;
this aligns HTMLElement with that behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant