From f03e5cfc32be2753a9601a689efcce673ec3b93b Mon Sep 17 00:00:00 2001
From: npt-1707 <npthanh132@gmail.com>
Date: Mon, 4 May 2026 08:31:57 +0800
Subject: [PATCH] bower_components/marked/lib/marked.js: added explicit
 matching for HTML entities to prevent XSS

---
 bower_components/marked/lib/marked.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bower_components/marked/lib/marked.js b/bower_components/marked/lib/marked.js
index e2f08c99..4fb5d2b8 100644
--- a/bower_components/marked/lib/marked.js
+++ b/bower_components/marked/lib/marked.js
@@ -1083,7 +1083,8 @@ function escape(html, encode) {
 }
 
 function unescape(html) {
-  return html.replace(/&([#\w]+);/g, function(_, n) {
+  // explicitly match decimal, hex, and named HTML entities 
+  return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(\w+))/g, function(_, n) {
     n = n.toLowerCase();
     if (n === 'colon') return ':';
     if (n.charAt(0) === '#') {