From a5293b08d8dc755ec431b5c533413c356c89268c Mon Sep 17 00:00:00 2001
From: Dozie2001 <davidchidozie402@gmail.com>
Date: Sun, 15 Feb 2026 12:48:15 +0100
Subject: [PATCH] fix(markdown): prevent XSS by escaping HTML in markdow

---
 packages/font/src/font.tsx                    | 31 ++++++++++---------
 packages/markdown/src/markdown.spec.tsx       |  2 +-
 packages/markdown/src/markdown.tsx            | 19 +++++++++---
 .../utils/parse-css-in-js-to-inline-css.ts    |  2 +-
 4 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/packages/font/src/font.tsx b/packages/font/src/font.tsx
index b45fbedea3..87079505f8 100644
--- a/packages/font/src/font.tsx
+++ b/packages/font/src/font.tsx
@@ -23,6 +23,10 @@ type FontFormat =
 type FontWeight = React.CSSProperties['fontWeight'];
 type FontStyle = React.CSSProperties['fontStyle'];
 
+function sanitizeCssValue(value: string): string {
+  return value.replace(/[';}{\\<>]/g, '');
+}
+
 export interface FontProps {
   /** The font you want to use. NOTE: Do not insert multiple fonts here, use fallbackFontFamily for that */
   fontFamily: string;
@@ -47,29 +51,28 @@ export const Font: React.FC<Readonly<FontProps>> = ({
   fontStyle = 'normal',
   fontWeight = 400,
 }) => {
+  const safeFontFamily = sanitizeCssValue(fontFamily);
+  const safeFontStyle = sanitizeCssValue(String(fontStyle));
+  const safeFontWeight = sanitizeCssValue(String(fontWeight));
+  const safeFallbacks = Array.isArray(fallbackFontFamily)
+    ? fallbackFontFamily.map(sanitizeCssValue)
+    : [sanitizeCssValue(fallbackFontFamily)];
+
   const src = webFont
-    ? `src: url(${webFont.url}) format('${webFont.format}');`
+    ? `src: url(${sanitizeCssValue(webFont.url)}) format('${sanitizeCssValue(webFont.format)}');`
     : '';
 
   const style = `
     @font-face {
-      font-family: '${fontFamily}';
-      font-style: ${fontStyle};
-      font-weight: ${fontWeight};
-      mso-font-alt: '${
-        Array.isArray(fallbackFontFamily)
-          ? fallbackFontFamily[0]
-          : fallbackFontFamily
-      }';
+      font-family: '${safeFontFamily}';
+      font-style: ${safeFontStyle};
+      font-weight: ${safeFontWeight};
+      mso-font-alt: '${safeFallbacks[0]}';
       ${src}
     }
 
     * {
-      font-family: '${fontFamily}', ${
-        Array.isArray(fallbackFontFamily)
-          ? fallbackFontFamily.join(', ')
-          : fallbackFontFamily
-      };
+      font-family: '${safeFontFamily}', ${safeFallbacks.join(', ')};
     }
   `;
   return <style dangerouslySetInnerHTML={{ __html: style }} />;
diff --git a/packages/markdown/src/markdown.spec.tsx b/packages/markdown/src/markdown.spec.tsx
index 20e4fc76c7..521466f1f1 100644
--- a/packages/markdown/src/markdown.spec.tsx
+++ b/packages/markdown/src/markdown.spec.tsx
@@ -116,7 +116,7 @@ console.log(\`Hello, $\{name}!\`);
       </Markdown>,
     );
     expect(actualOutput).toMatchInlineSnapshot(`
-      "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--$--><div data-id="react-email-markdown"><p><strong style="font:700 23px / 32px &#x27;Roobert PRO&#x27;, system-ui, sans-serif;background:url(&#x27;path/to/image&#x27;)">This is sample bold text in markdown</strong> and <em style="font-style:italic">this is italic text</em></p>
+      "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--$--><div data-id="react-email-markdown"><p><strong style="font:700 23px / 32px &quot;Roobert PRO&quot;, system-ui, sans-serif;background:url(&quot;path/to/image&quot;)">This is sample bold text in markdown</strong> and <em style="font-style:italic">this is italic text</em></p>
       </div><!--/$-->"
     `);
   });
diff --git a/packages/markdown/src/markdown.tsx b/packages/markdown/src/markdown.tsx
index 282e5556a1..dff79a1e3c 100644
--- a/packages/markdown/src/markdown.tsx
+++ b/packages/markdown/src/markdown.tsx
@@ -3,6 +3,15 @@ import * as React from 'react';
 import { type StylesType, styles } from './styles';
 import { parseCssInJsToInlineCss } from './utils/parse-css-in-js-to-inline-css';
 
+function escapeHtml(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 export type MarkdownProps = Readonly<{
   children: string;
   markdownCustomStyles?: StylesType;
@@ -37,7 +46,7 @@ export const Markdown = React.forwardRef<HTMLDivElement, MarkdownProps>(
 
     // TODO: Support all options
     renderer.code = ({ text }) => {
-      text = `${text.replace(/\n$/, '')}\n`;
+      text = `${escapeHtml(text).replace(/\n$/, '')}\n`;
 
       return `<pre${
         parseCssInJsToInlineCss(finalStyles.codeBlock) !== ''
@@ -97,8 +106,8 @@ export const Markdown = React.forwardRef<HTMLDivElement, MarkdownProps>(
     };
 
     renderer.image = ({ href, text, title }) => {
-      return `<img src="${href.replaceAll('"', '&quot;')}" alt="${text.replaceAll('"', '&quot;')}"${
-        title ? ` title="${title}"` : ''
+      return `<img src="${escapeHtml(href)}" alt="${escapeHtml(text)}"${
+        title ? ` title="${escapeHtml(title)}"` : ''
       }${
         parseCssInJsToInlineCss(finalStyles.image) !== ''
           ? ` style="${parseCssInJsToInlineCss(finalStyles.image)}"`
@@ -109,8 +118,8 @@ export const Markdown = React.forwardRef<HTMLDivElement, MarkdownProps>(
     renderer.link = ({ href, title, tokens }) => {
       const text = renderer.parser.parseInline(tokens);
 
-      return `<a href="${href}" target="_blank"${
-        title ? ` title="${title}"` : ''
+      return `<a href="${escapeHtml(href)}" target="_blank"${
+        title ? ` title="${escapeHtml(title)}"` : ''
       }${
         parseCssInJsToInlineCss(finalStyles.link) !== ''
           ? ` style="${parseCssInJsToInlineCss(finalStyles.link)}"`
diff --git a/packages/markdown/src/utils/parse-css-in-js-to-inline-css.ts b/packages/markdown/src/utils/parse-css-in-js-to-inline-css.ts
index e99d4bf97f..8bdaa5418f 100644
--- a/packages/markdown/src/utils/parse-css-in-js-to-inline-css.ts
+++ b/packages/markdown/src/utils/parse-css-in-js-to-inline-css.ts
@@ -4,7 +4,7 @@ function camelToKebabCase(str: string): string {
 
 function escapeQuotes(value: unknown) {
   if (typeof value === 'string' && value.includes('"')) {
-    return value.replace(/"/g, '&#x27;');
+    return value.replace(/"/g, '&quot;');
   }
   return value;
 }