From e87f5e5f899f45df28d7c0f33f15e9178d1fbcb7 Mon Sep 17 00:00:00 2001
From: 01zulfi <85733202+01zulfi@users.noreply.github.com>
Date: Tue, 10 Feb 2026 12:33:56 +0500
Subject: [PATCH] editor: escape html in twitter embed src (#9326)

Signed-off-by: 01zulfi <85733202+01zulfi@users.noreply.github.com>
---
 packages/editor/src/extensions/embed/component.tsx | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/packages/editor/src/extensions/embed/component.tsx b/packages/editor/src/extensions/embed/component.tsx
index 999c570bf..4e22eaabb 100644
--- a/packages/editor/src/extensions/embed/component.tsx
+++ b/packages/editor/src/extensions/embed/component.tsx
@@ -206,7 +206,13 @@ function isTwitterX(src: string) {
 
 function tweetToEmbed(src: string, isDarkTheme: boolean) {
   src = src.replaceAll("x.com", "twitter.com");
+
+  const anchor = document.createElement("a");
+  anchor.href = `${src}?ref_src=twsrc%5Etfw`;
+
   return `<blockquote class="twitter-tweet" data-dnt="true" ${
     isDarkTheme ? 'data-theme="dark"' : ""
-  }><p lang="en" dir="ltr"><a href="${src}?ref_src=twsrc%5Etfw"></a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> `;
+  }><p lang="en" dir="ltr">${
+    anchor.outerHTML
+  }</p></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> `;
 }