From 7757902c9e0b3285d516359b3cb602cd9d50d80e Mon Sep 17 00:00:00 2001
From: Joey Perrott <josephperrott.github@gmail.com>
Date: Thu, 3 Aug 2023 20:35:00 -0600
Subject: [PATCH] fix: prevent document parsing from decoding entities within
 HTML document (#133)

Decoding the entities within HTML content can lead to undoing escapes
---
 packages/critters/src/dom.js            |  2 +-
 packages/critters/test/critters.test.js | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/packages/critters/src/dom.js b/packages/critters/src/dom.js
index 84f6b01..905503e 100644
--- a/packages/critters/src/dom.js
+++ b/packages/critters/src/dom.js
@@ -53,7 +53,7 @@ function buildCache(container) {
  * @param {String} html   HTML to parse into a Document instance
  */
 export function createDocument(html) {
-  const document = /** @type {HTMLDocument} */ (parseDocument(html));
+  const document = /** @type {HTMLDocument} */ (parseDocument(html, {decodeEntities: false}));
 
   defineProperties(document, DocumentExtensions);
 
diff --git a/packages/critters/test/critters.test.js b/packages/critters/test/critters.test.js
index ee3af36..cfb51c6 100644
--- a/packages/critters/test/critters.test.js
+++ b/packages/critters/test/critters.test.js
@@ -95,4 +95,19 @@ describe('Critters', () => {
     expect(result).toMatch('<link rel="stylesheet" href="/style.css">');
     expect(result).toMatch('<title>$title</title>');
   });
+
+  test('Does not decode entities in HTML document', async () => {
+    const critters = new Critters({
+      path: '/'
+    });
+    critters.readFile = (filename) => assets[filename];
+    const result = await critters.process(trim`
+      <html>
+        <body>
+          &lt;h1&gt;Hello World!&lt;/h1&gt;
+        </body>
+      </html>
+    `);
+    expect(result).toMatch('&lt;h1&gt;Hello World!&lt;/h1&gt;');
+  });
 });