From e515248c2040481490661870c67839c81eab3e2f Mon Sep 17 00:00:00 2001
From: Dimitrie Hoekstra <hi@dimitr.ie>
Date: Wed, 3 Sep 2025 12:02:27 +0200
Subject: [PATCH] Fix double-escaped HTML entities in package READMEs

Some package READMEs (e.g., node-red-opcua-x) were displaying HTML tags as
literal text instead of rendering them. This was caused by HTML entities being
stored in escaped form (&lt;img&gt; instead of <img>) in the database.

The fix unescapes HTML entities before markdown processing to handle cases
where HTML tags are stored as &lt;img&gt; instead of <img>. This ensures
already-escaped content from storage renders properly while maintaining
security through DOMPurify sanitization.
---
 lib/utils.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index 3482af9..ef041d6 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -96,7 +96,14 @@ function formatShortDate (d) {
 const csrfProtection = csrf({ cookie: true })
 
 async function renderMarkdown (src, opt) {
-    const content = await marked.parse(src, { async: true, ...opt })
+    const unescapedSrc = src
+        .replace(/&lt;/g, '<')
+        .replace(/&gt;/g, '>')
+        .replace(/&quot;/g, '"')
+        .replace(/&#039;/g, "'")
+        .replace(/&amp;/g, '&')
+    
+    const content = await marked.parse(unescapedSrc, { async: true, ...opt })
     return DOMPurify.sanitize(content)
 }