From d71b90aa826f4f4f45d0d9231027152fc793d4d5 Mon Sep 17 00:00:00 2001
From: Grzegorz <19194188+farce1@users.noreply.github.com>
Date: Fri, 10 Apr 2026 07:33:54 +0200
Subject: [PATCH] fix: sanitize FTS snippets before HTML rendering

---
 src/views/LibraryView.tsx | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/views/LibraryView.tsx b/src/views/LibraryView.tsx
index 10af803..65b97a1 100644
--- a/src/views/LibraryView.tsx
+++ b/src/views/LibraryView.tsx
@@ -14,8 +14,21 @@ import { useLibrary } from '../hooks/useLibrary';
 import { bulkExportZip, exportMeeting, type ExportFormat } from '../lib/export';
 import type { MeetingWithPreview, SortDirection, SortField, ViewMode } from '../types';
 
+function sanitizeSearchSnippetHtml(html: string): string {
+  const escaped = html
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+
+  return escaped
+    .replace(/&lt;mark&gt;/g, '<mark>')
+    .replace(/&lt;\/mark&gt;/g, '</mark>');
+}
+
 function renderSearchSnippet(html: string): { __html: string } {
-  return { __html: html };
+  return { __html: sanitizeSearchSnippetHtml(html) };
 }
 
 function SkeletonLine({ className }: { className: string }) {