slackhq / csp-html-webpack-plugin

A plugin which, when combined with HTMLWebpackPlugin, adds CSP tags to the HTML output.
MIT License
164 stars 40 forks source link

Double encodes html entities (`&`, ` `, etc) #125

Open eamodio opened 3 weeks ago

eamodio commented 3 weeks ago

Description

Describe your issue here.

What type of issue is this? (place an x in one of the [ ])

Requirements (place an x in each of the [ ])


Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

slackhq/csp-html-webpack-plugin version: v5.1.0

node version: v20.11.1

OS version(s): all

Seems to have broken sometime recently, I'm guessing it is related to https://github.com/slackhq/csp-html-webpack-plugin/pull/75

Steps to reproduce:

  1. Have html entities (&,  , etc) in your html template file

Expected result:

Observe html entities are unaffected

Actual result:

Observe that they get double encoded, & becomes &,   becomes  

Attachments:

OSS project: https://github.com/gitkraken/vscode-gitlens can see when the settings.html file gets built (https://github.com/gitkraken/vscode-gitlens/blob/e3795f8a80eb43b91b3c7736d7705c6316b921f7/webpack.config.mjs#L323)

nzaytsev commented 3 weeks ago

It looks like it's caused by wrong version of cheerio transitive dependency. Version 1.0.0 is fetched by default when run npm i | yarn | pnpm i, but ^1.0.0-rc.5 is required