editor: escape html in twitter embed src (#9326)

Signed-off-by: 01zulfi <85733202+01zulfi@users.noreply.github.com>
2026-02-23 19:49:56 +01:00 · 2026-02-10 12:33:56 +05:00
parent d44792d132
commit e87f5e5f89
1 changed files with 7 additions and 1 deletions
--- a/packages/editor/src/extensions/embed/component.tsx
+++ b/packages/editor/src/extensions/embed/component.tsx
@@ -206,7 +206,13 @@ function isTwitterX(src: string) {

 function tweetToEmbed(src: string, isDarkTheme: boolean) {
  src = src.replaceAll("x.com", "twitter.com");
+
+  const anchor = document.createElement("a");
+  anchor.href = `${src}?ref_src=twsrc%5Etfw`;
+
  return `<blockquote class="twitter-tweet" data-dnt="true" ${
    isDarkTheme ? 'data-theme="dark"' : ""
-  }><p lang="en" dir="ltr"><a href="${src}?ref_src=twsrc%5Etfw"></a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> `;
+  }><p lang="en" dir="ltr">${
+    anchor.outerHTML
+  }</p></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> `;
 }