From 806e9911c052f9e146ed5feb0324f8b2bbc8276e Mon Sep 17 00:00:00 2001
From: Dhruva Shaw <dhruvashaw@gmail.com>
Date: Mon, 16 Jun 2025 00:20:57 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 12: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Dhruva Shaw <dhruvashaw@gmail.com>
---
 assets/js/distillpub/template.v2.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/assets/js/distillpub/template.v2.js b/assets/js/distillpub/template.v2.js
index 33d23109..0ef994de 100644
--- a/assets/js/distillpub/template.v2.js
+++ b/assets/js/distillpub/template.v2.js
@@ -4669,7 +4669,13 @@ d-references {
       const title = el.textContent;
       const link = "#" + el.getAttribute("id");
 
-      let newLine = "<li>" + '<a href="' + link + '">' + title + "</a>" + "</li>";
+      const escapeHTML = (str) => str.replace(/[&<>"']/g, (char) => {
+        const escapeMap = { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' };
+        return escapeMap[char];
+      });
+
+      const escapedTitle = escapeHTML(title);
+      let newLine = "<li>" + '<a href="' + link + '">' + escapedTitle + "</a>" + "</li>";
       if (el.tagName == "H3") {
         newLine = "<ul>" + newLine + "</ul>";
       } else {