fix: use named HTML entities for attribute escaping

.changeset/silly-schools-dig.md

@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes `&` characters appearing as raw entity strings (e.g. `&#38;`) in `<meta>` tags when viewed in link previews or raw HTML.

packages/astro/src/runtime/server/render/util.ts

@@ -23,7 +23,7 @@ const toIdent = (k: string) =>
 
 export const toAttributeString = (value: any, shouldEscape = true) =>
 	shouldEscape
-		? String(value).replace(AMPERSAND_REGEX, '&').replace(DOUBLE_QUOTE_REGEX, '"')
+		? String(value).replace(AMPERSAND_REGEX, '&').replace(DOUBLE_QUOTE_REGEX, '"')
 		: value;
 
 const kebab = (k: string) =>

packages/astro/test/units/app/astro-attrs.test.ts

@@ -243,13 +243,13 @@ describe('Attributes', async () => {
 
 		// cheerio will unescape the values, so checking that the url rendered escaped has to be done manually
 		assert.equal(
-			html.includes('https://example.com/api/og?title=hello&description=somedescription'),
+			html.includes('https://example.com/api/og?title=hello&description=somedescription'),
 			true,
 		);
 
 		// cheerio will unescape the values, so checking that the url rendered unescaped to begin with has to be done manually
 		assert.equal(
-			html.includes('cmd: echo "foo" && echo "bar" > /tmp/hello.txt'),
+			html.includes('cmd: echo "foo" && echo "bar" > /tmp/hello.txt'),
 			true,
 		);
 

packages/astro/test/units/app/url-attribute-xss.test.ts

@@ -8,7 +8,7 @@ describe('addAttribute URL XSS', () => {
 		const result = String(addAttribute(maliciousUrl, 'href'));
 
 		// The " must be escaped so the value stays inside a single attribute
-		assert.ok(result.includes('"'), `double quotes should be escaped, got: ${result}`);
+		assert.ok(result.includes('"'), `double quotes should be escaped, got: ${result}`);
 		assert.match(
 			result,
 			/^\s+href="[^"]*"$/,
@@ -20,7 +20,7 @@ describe('addAttribute URL XSS', () => {
 		const url = 'https://example.com/?a=1&b=2&c=3';
 		const result = String(addAttribute(url, 'href'));
 
-		assert.ok(result.includes('&'), `ampersands should be escaped, got: ${result}`);
+		assert.ok(result.includes('&'), `ampersands should be escaped, got: ${result}`);
 		assert.match(
 			result,
 			/^\s+href="[^"]*"$/,

packages/astro/test/units/render/class-list-and-style.test.ts

@@ -115,7 +115,7 @@ describe('style object via addAttribute', () => {
 
 	it('handles url() with quotes in style object', () => {
 		const result = addAttribute({ backgroundImage: 'url("a")' }, 'style');
-		assert.equal(result.toString(), ' style="background-image:url("a")"');
+		assert.equal(result.toString(), ' style="background-image:url("a")"');
 	});
 
 	it('passes through string style values unchanged', () => {

packages/astro/test/units/render/html-primitives.test.ts

@@ -21,16 +21,16 @@ import {
 import { createTestApp, createPage } from '../mocks.ts';
 
 describe('toAttributeString', () => {
-	it('escapes & to &', () => {
-		assert.equal(toAttributeString('a&b'), 'a&b');
+	it('escapes & to &', () => {
+		assert.equal(toAttributeString('a&b'), 'a&b');
 	});
 
-	it('escapes " to "', () => {
-		assert.equal(toAttributeString('say "hello"'), 'say "hello"');
+	it('escapes " to "', () => {
+		assert.equal(toAttributeString('say "hello"'), 'say "hello"');
 	});
 
 	it('escapes both & and " in the same string', () => {
-		assert.equal(toAttributeString('"a&b"'), '"a&b"');
+		assert.equal(toAttributeString('"a&b"'), '"a&b"');
 	});
 
 	it('passes through normal strings unchanged', () => {