From 7ffd25a9a5721e5528eb7c99143d0f87a2ccf093 Mon Sep 17 00:00:00 2001
From: Aleksey Troynikov <atroynikov@yandex-team.ru>
Date: Mon, 4 May 2026 22:45:38 +0300
Subject: [PATCH] fix(renderHeadContent): add escaping for title tag content

---
 package-lock.json              | 15 +++++++++++++++
 package.json                   |  2 ++
 src/utils/renderHeadContent.ts |  4 +++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index 45538c2..50579ff 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,6 +9,7 @@
       "version": "2.4.0",
       "license": "MIT",
       "dependencies": {
+        "escape-html": "^1.0.3",
         "htmlescape": "^1.1.1"
       },
       "devDependencies": {
@@ -18,6 +19,7 @@
         "@gravity-ui/eslint-config": "^3.1.1",
         "@gravity-ui/prettier-config": "^1.1.0",
         "@gravity-ui/tsconfig": "^1.0.0",
+        "@types/escape-html": "^1.0.4",
         "@types/express": "^4.17.13",
         "@types/htmlescape": "^1.1.3",
         "@types/jest": "^29.5.11",
@@ -2027,6 +2029,13 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/escape-html": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@types/escape-html/-/escape-html-1.0.4.tgz",
+      "integrity": "sha512-qZ72SFTgUAZ5a7Tj6kf2SHLetiH5S6f8G5frB2SPQ3EyF02kxdyBFf4Tz4banE3xCgGnKgWLt//a6VuYHKYJTg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/express": {
       "version": "4.17.13",
       "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.13.tgz",
@@ -3616,6 +3625,12 @@
         "node": ">=6"
       }
     },
+    "node_modules/escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
+      "license": "MIT"
+    },
     "node_modules/escape-string-regexp": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz",
diff --git a/package.json b/package.json
index b8930d0..b6c4659 100644
--- a/package.json
+++ b/package.json
@@ -45,6 +45,7 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
+    "escape-html": "^1.0.3",
     "htmlescape": "^1.1.1"
   },
   "devDependencies": {
@@ -54,6 +55,7 @@
     "@gravity-ui/eslint-config": "^3.1.1",
     "@gravity-ui/prettier-config": "^1.1.0",
     "@gravity-ui/tsconfig": "^1.0.0",
+    "@types/escape-html": "^1.0.4",
     "@types/express": "^4.17.13",
     "@types/htmlescape": "^1.1.3",
     "@types/jest": "^29.5.11",
diff --git a/src/utils/renderHeadContent.ts b/src/utils/renderHeadContent.ts
index 1a7e342..7c8533c 100644
--- a/src/utils/renderHeadContent.ts
+++ b/src/utils/renderHeadContent.ts
@@ -1,3 +1,5 @@
+import escapeHTML from 'escape-html';
+
 import type {HeadContent} from '../types.js';
 
 export function renderHeadContent(content: HeadContent): string {
@@ -18,7 +20,7 @@ export function renderHeadContent(content: HeadContent): string {
     return `
         <meta charset="utf-8">
         ${baseAttrs ? `<base ${baseAttrs}>` : ''}
-        <title>${title}</title>
+        <title>${escapeHTML(title)}</title>
         ${[
             ...scripts.map(({src, crossOrigin}) =>
                 helpers.renderLink({href: src, crossOrigin, rel: 'preload', as: 'script'}),