Fix: Decode HTML entities in style attributes #2518
Conversation
Fixes resend#1767 This commit resolves the issue where React's renderToStaticMarkup encodes quotes and ampersands in style attributes as HTML entities (" and &), which can break: - CSS font-family declarations with quoted font names - URLs with query parameters in style properties The fix adds a post-processing step that decodes these entities back to their original characters within style attributes only. Changes: - Added decodeStyleAttributes function to decode " and & in style attributes - Added tests to verify correct decoding of quotes and ampersands - All existing tests continue to pass
|
|
@iagocavalcante is attempting to deploy a commit to the resend Team on Vercel. A member of the Team first needs to authorize it. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 2 files
Prompt for AI agents (all 3 issues)
Understand the root cause of the following 3 issues and fix them.
<file name="packages/render/src/render.ts">
<violation number="1" location="packages/render/src/render.ts:14">
Decoding HTML entities inside style="…" introduces raw quotes/ampersands, breaking the attribute and corrupting CSS/URLs.</violation>
</file>
<file name="packages/render/src/render.spec.tsx">
<violation number="1" location="packages/render/src/render.spec.tsx:30">
Style attributes wrapped in double quotes must keep inner quotes encoded; this assertion enforces decoding them, yielding invalid markup.</violation>
<violation number="2" location="packages/render/src/render.spec.tsx:54">
HTML attributes must encode ampersands as `&amp;`; this test insists on raw `&`, which makes the rendered HTML invalid.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Ask questions if you need clarification on any suggestion
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
packages/render/src/render.ts
Outdated
| // in attribute values, which can break CSS font-family declarations and URLs | ||
| return html.replace(/style="([^"]*)"/g, (match, styleContent) => { | ||
| const decoded = styleContent | ||
| .replace(/"/g, '"') |
There was a problem hiding this comment.
Decoding HTML entities inside style="…" introduces raw quotes/ampersands, breaking the attribute and corrupting CSS/URLs.
Prompt for AI agents
Address the following comment on packages/render/src/render.ts at line 14:
<comment>Decoding HTML entities inside style="…" introduces raw quotes/ampersands, breaking the attribute and corrupting CSS/URLs.</comment>
<file context>
@@ -5,11 +5,24 @@ interface Options {
+ // in attribute values, which can break CSS font-family declarations and URLs
+ return html.replace(/style="([^"]*)"/g, (match, styleContent) => {
+ const decoded = styleContent
+ .replace(/&quot;/g, '"')
+ .replace(/&amp;/g, '&');
+ return `style="${decoded}"`;
</file context>
✅ Addressed in ad14252
packages/render/src/render.spec.tsx
Outdated
| expect(html).not.toContain('&param'); | ||
|
|
||
| // Should contain actual ampersands in URLs | ||
| expect(html).toContain('param1=value1¶m2=value2'); |
There was a problem hiding this comment.
HTML attributes must encode ampersands as &; this test insists on raw &, which makes the rendered HTML invalid.
Prompt for AI agents
Address the following comment on packages/render/src/render.spec.tsx at line 54:
<comment>HTML attributes must encode ampersands as `&amp;`; this test insists on raw `&`, which makes the rendered HTML invalid.</comment>
<file context>
@@ -12,4 +12,45 @@ describe('render', () => {
+ expect(html).not.toContain('&amp;param');
+
+ // Should contain actual ampersands in URLs
+ expect(html).toContain('param1=value1&param2=value2');
+ });
});
</file context>
packages/render/src/render.spec.tsx
Outdated
| const html = render(component); | ||
|
|
||
| // Should not contain encoded quotes | ||
| expect(html).not.toContain('"'); |
There was a problem hiding this comment.
Style attributes wrapped in double quotes must keep inner quotes encoded; this assertion enforces decoding them, yielding invalid markup.
Prompt for AI agents
Address the following comment on packages/render/src/render.spec.tsx at line 30:
<comment>Style attributes wrapped in double quotes must keep inner quotes encoded; this assertion enforces decoding them, yielding invalid markup.</comment>
<file context>
@@ -12,4 +12,45 @@ describe('render', () => {
+ const html = render(component);
+
+ // Should not contain encoded quotes
+ expect(html).not.toContain('&quot;');
+
+ // Should contain actual quotes
</file context>
✅ Addressed in ad14252
|
After testing a bit more thoroughly I don't think it's an issue to have those entities in styles, even though some users said it is, I could not reproduce at all. The only situation guaranteed to have entities fail is in links, and it only breaks, as far as we know, on Azure's email service with click tracking enabled. Can you change things for that? |
Yes, I will do this change! |
|
Something like that , wdyt ? |
|
@iagocavalcante I think it'd be better to use https://www.npmjs.com/package/html-entities/v/2.5.6 and run it inside hrefs |
|
Seems like your branch is really outdated when compared to canary, can you update? |
Fixes #1767
This commit resolves the issue where React's renderToStaticMarkup encodes quotes and ampersands in style attributes as HTML entities (" and &), which can break:
The fix adds a post-processing step that decodes these entities back to their original characters within style attributes only.
Changes:
Summary by cubic
Decodes HTML entities in inline style attributes to prevent broken font-family quotes and URL query params after renderToStaticMarkup. Replaces " and & with real characters only inside style="...".