chore: move out escapeHtml function to shared util, update imports

mikouaji · mikouaji · commit a4c2c93ed37c · 2026-02-16T18:39:07.000+01:00
diff --git a/server/utils/docs/render.ts b/server/utils/docs/render.ts
@@ -10,7 +10,8 @@ import type { DenoDocNode, JsDocTag } from '#shared/types/deno-doc'
 import { highlightCodeBlock } from '../shiki'
 import { formatParam, formatType, getNodeSignature } from './format'
 import { groupMergedByKind } from './processing'
-import { createSymbolId, escapeHtml, parseJsDocLinks, renderMarkdown } from './text'
+import { escapeHtml } from '#shared/utils/html'
+import { createSymbolId, parseJsDocLinks, renderMarkdown } from './text'
 import type { MergedSymbol, SymbolLookup } from './types'
 
 // =============================================================================
diff --git a/server/utils/docs/text.ts b/server/utils/docs/text.ts
@@ -9,6 +9,7 @@
 
 import { highlightCodeBlock } from '../shiki'
 import type { SymbolLookup } from './types'
+import { escapeHtml } from '#shared/utils/html'
 
 /**
  * Strip ANSI escape codes from text.
@@ -21,20 +22,6 @@ export function stripAnsi(text: string): string {
   return text.replace(ANSI_PATTERN, '')
 }
 
-/**
- * Escape HTML special characters.
- *
- * @internal Exported for testing
- */
-export function escapeHtml(text: string): string {
-  return text
-    .replace(/&/g, '&amp;')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;')
-    .replace(/'/g, '&#39;')
-}
-
 /**
  * Clean up symbol names by stripping esm.sh prefixes.
  *
diff --git a/shared/utils/html.ts b/shared/utils/html.ts
@@ -0,0 +1,12 @@
+/**
+ * Escape HTML special characters to prevent XSS and ensure safe embedding.
+ * Handles text content and attribute values (`&`, `<`, `>`, `"`, `'`).
+ */
+export function escapeHtml(text: string): string {
+  return text
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+}
diff --git a/test/unit/server/utils/docs/text.spec.ts b/test/unit/server/utils/docs/text.spec.ts
@@ -1,11 +1,7 @@
 import { describe, expect, it } from 'vitest'
 import * as fc from 'fast-check'
-import {
-  escapeHtml,
-  parseJsDocLinks,
-  renderMarkdown,
-  stripAnsi,
-} from '../../../../../server/utils/docs/text'
+import { escapeHtml } from '#shared/utils/html'
+import { parseJsDocLinks, renderMarkdown, stripAnsi } from '../../../../../server/utils/docs/text'
 import type { SymbolLookup } from '../../../../../server/utils/docs/types'
 
 describe('stripAnsi', () => {
