fix(scripts): escape quotes in fixture-generator XML attributes

[jedrazb]

Resolves five medium-severity CodeQL js/incomplete-html-attribute-sanitization alerts in the test-fixture generators (scripts/create-inline-checkbox-controls-fixture.mjs, scripts/generate-large-doc-comments-suggestions.ts).

Both interpolate values into double-quoted XML attributes (w:val, w:author) through escapers that only handled & < >, so a value containing a quote could break out of the attribute. The escapers now also encode " and '.

Output is unchanged for the current fixture data (the escaping is valid in both element-text and attribute contexts), and committed fixtures are not regenerated — verified both generators still produce valid DOCX. Dev-tooling only, no package impact (no changeset).

🤖 Generated with Claude Code

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docx-editor	Ready	Preview, Comment	Jun 20, 2026 9:37pm

[eigenpal-release-pal]

All contributors have signed the CLA ✍️ ✅

_{Posted by the CLA bot.}

[greptile-apps]

Greptile Summary

Hardens the XML escaping helpers in both fixture-generator scripts to encode " and ' in addition to & < >, closing CodeQL js/incomplete-html-attribute-sanitization alerts. These are dev-only DOCX generators with no package impact.

• esc() in create-inline-checkbox-controls-fixture.mjs and escapeXml() in generate-large-doc-comments-suggestions.ts now both encode double-quotes and single-quotes, preventing a crafted attribute value from breaking out of double-quoted XML attribute context (w:val=\"...\", w:author=\"...\").
• Escaping order is correct (& first), and both helpers are already applied to all the attribute interpolation sites targeted by CodeQL. Two minor inconsistencies remain: checkedValue/uncheckedValue in the checkbox helper and AUTHOR_INITIALS initials in the comments builder are not yet routed through the updated escaper.

Confidence Score: 4/5

Safe to merge — the core fix is correct and covers the CodeQL-flagged sinks; two leftover unescaped interpolations are minor and affect dev-only generators.

Both escape helpers are correctly updated and the escaping order (& first) is preserved. The only remaining gaps are checkedValue/uncheckedValue in the checkbox builder and the w:initials value in the comments builder, both currently hardcoded to safe literals. The fix is dev-tooling only with no production or package impact.

The checkbox() function in create-inline-checkbox-controls-fixture.mjs still has unescaped checkedValue/uncheckedValue attribute interpolation; worth aligning with the rest of the fix.

Important Files Changed

Filename	Overview
scripts/create-inline-checkbox-controls-fixture.mjs	Adds " → " and ' → ' to the esc() helper; correctly applies it to w:val attributes for tag/alias. The checkedValue/uncheckedValue string params are still interpolated into w14:val attributes unescaped.
scripts/generate-large-doc-comments-suggestions.ts	Extends escapeXml() with quote encoding and consistently applies it to w:author, w:val, and text content. Minor: w:initials attribute in buildCommentsXml() is still interpolated without escapeXml().

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Raw string value] --> B[replace ampersand to amp entity]
    B --> C[replace less-than to lt entity]
    C --> D[replace greater-than to gt entity]
    D --> E[replace double-quote to quot entity NEW]
    E --> F[replace single-quote to numeric entity NEW]
    F --> G[Safe for element text and double-quoted attribute values]

    subgraph mjs [create-inline-checkbox-controls-fixture.mjs]
        H[esc applied to tag and alias w:val attributes]
        I[checkedValue and uncheckedValue still raw in w14:val]
    end

    subgraph ts [generate-large-doc-comments-suggestions.ts]
        J[escapeXml applied to w:author w:val and text]
        K[AUTHOR_INITIALS still raw in w:initials]
    end

    G --> H
    G --> J

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Raw string value] --> B[replace ampersand to amp entity]
    B --> C[replace less-than to lt entity]
    C --> D[replace greater-than to gt entity]
    D --> E[replace double-quote to quot entity NEW]
    E --> F[replace single-quote to numeric entity NEW]
    F --> G[Safe for element text and double-quoted attribute values]

    subgraph mjs [create-inline-checkbox-controls-fixture.mjs]
        H[esc applied to tag and alias w:val attributes]
        I[checkedValue and uncheckedValue still raw in w14:val]
    end

    subgraph ts [generate-large-doc-comments-suggestions.ts]
        J[escapeXml applied to w:author w:val and text]
        K[AUTHOR_INITIALS still raw in w:initials]
    end

    G --> H
    G --> J

Loading

Comments Outside Diff (2)

1. scripts/create-inline-checkbox-controls-fixture.mjs, line 57-60 (link)

   Unescaped checkedValue/uncheckedValue attribute interpolation

   The PR adds " and ' escaping to esc(), but checkedValue and uncheckedValue are still interpolated into w14:val attributes on lines 59–60 without going through esc(). Both are string parameters (defaults '2612' / '2610'), so a caller passing e.g. checkedValue='">' would still break out of the attribute. All current callsites use safe hex literals, but the inconsistency undermines the intent of the fix.

2. scripts/generate-large-doc-comments-suggestions.ts, line 306-308 (link)

   The w:initials attribute interpolates AUTHOR_INITIALS[c.author] ?? '' directly without escapeXml(). While the lookup table is currently hardcoded to safe values, being consistent with the rest of the escaping in this function prevents a latent issue if the initials map is ever extended with externally-derived data.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

_{Reviews (1): Last reviewed commit: "fix(scripts): escape quotes when buildin..." | Re-trigger Greptile}