fix: strip HTML tags from plaintext search result descriptions (#1702)

Co-authored-by: Daniel Roe <daniel@roe.dev>

Author: serhalp

app/components/Compare/PackageSelector.vue

@@ -301,7 +301,7 @@ onClickOutside(containerRef, () => {
               v-if="result.description"
               class="text-xs text-fg-muted truncate mt-0.5 w-full block"
             >
-              {{ decodeHtmlEntities(result.description) }}
+              {{ stripHtmlTags(decodeHtmlEntities(result.description)) }}
             </span>
           </ButtonBase>
         </div>

app/components/Package/TableRow.vue

@@ -69,7 +69,7 @@ const allMaintainersText = computed(() => {
       v-if="isColumnVisible('description')"
       class="py-2 px-3 text-sm text-fg-muted max-w-xs truncate"
     >
-      {{ decodeHtmlEntities(pkg.description || '-') }}
+      {{ stripHtmlTags(decodeHtmlEntities(pkg.description || '-')) }}
     </td>
 
     <!-- Downloads -->

server/utils/readme.ts

@@ -3,7 +3,7 @@ import sanitizeHtml from 'sanitize-html'
 import { hasProtocol } from 'ufo'
 import type { ReadmeResponse, TocItem } from '#shared/types/readme'
 import { convertBlobOrFileToRawUrl, type RepositoryInfo } from '#shared/utils/git-providers'
-import { decodeHtmlEntities } from '#shared/utils/html'
+import { decodeHtmlEntities, stripHtmlTags } from '#shared/utils/html'
 import { convertToEmoji } from '#shared/utils/emoji'
 import { toProxiedImageUrl } from '#server/utils/image-proxy'
 
@@ -194,22 +194,6 @@ const ALLOWED_ATTR: Record<string, string[]> = {
   'p': ['align'],
 }
 
-/**
- * Strip all HTML tags from a string, looping until stable to prevent
- * incomplete sanitization from nested/interleaved tags
- * (e.g. `<scr<script>ipt>` → `<script>` after one pass).
- */
-function stripHtmlTags(text: string): string {
-  const tagPattern = /<[^>]*>/g
-  let result = text
-  let previous: string
-  do {
-    previous = result
-    result = result.replace(tagPattern, '')
-  } while (result !== previous)
-  return result
-}
-
 /**
  * Generate a GitHub-style slug from heading text.
  * - Convert to lowercase

shared/utils/html.ts

@@ -11,3 +11,19 @@ const htmlEntities: Record<string, string> = {
 export function decodeHtmlEntities(text: string): string {
   return text.replace(/&(?:amp|lt|gt|quot|apos|nbsp|#39);/g, match => htmlEntities[match] || match)
 }
+
+/**
+ * Strip all HTML tags from a string, looping until stable to prevent
+ * incomplete sanitization from nested/interleaved tags
+ * (e.g. `<scr<script>ipt>` → `<script>` after one pass).
+ */
+export function stripHtmlTags(text: string): string {
+  const tagPattern = /<[^>]*>/g
+  let result = text
+  let previous: string
+  do {
+    previous = result
+    result = result.replace(tagPattern, '')
+  } while (result !== previous)
+  return result
+}

test/unit/shared/utils/html.spec.ts

@@ -1,5 +1,5 @@
 import { describe, expect, it } from 'vitest'
-import { decodeHtmlEntities } from '../../../../shared/utils/html'
+import { decodeHtmlEntities, stripHtmlTags } from '../../../../shared/utils/html'
 
 describe('decodeHtmlEntities', () => {
   it.each([
@@ -26,3 +26,26 @@ describe('decodeHtmlEntities', () => {
     expect(decodeHtmlEntities('&unknown;')).toBe('&unknown;')
   })
 })
+
+describe('stripHtmlTags', () => {
+  it('removes simple HTML tags', () => {
+    expect(stripHtmlTags('<b>bold</b>')).toBe('bold')
+  })
+
+  it('removes anchor tags keeping text content', () => {
+    expect(stripHtmlTags('<a href="https://example.com">link</a>')).toBe('link')
+  })
+
+  it('removes self-closing tags', () => {
+    expect(stripHtmlTags('before<br/>after')).toBe('beforeafter')
+  })
+
+  it('leaves plain text unchanged', () => {
+    expect(stripHtmlTags('no tags here')).toBe('no tags here')
+  })
+
+  it('works with decodeHtmlEntities to clean descriptions', () => {
+    const raw = '&lt;a href=&quot;url&quot;&gt;link&lt;/a&gt; and text'
+    expect(stripHtmlTags(decodeHtmlEntities(raw))).toBe('link and text')
+  })
+})