fix: dont escape ampersand twice in title

package.json

@@ -133,7 +133,6 @@
     "@rollup/plugin-replace": "^5.0.5",
     "@types/cross-spawn": "^6.0.6",
     "@types/debug": "^4.1.12",
-    "@types/escape-html": "^1.0.4",
     "@types/fs-extra": "^11.0.4",
     "@types/lodash.template": "^4.5.3",
     "@types/mark.js": "^8.11.12",
@@ -150,7 +149,6 @@
     "cross-spawn": "^7.0.3",
     "debug": "^4.3.4",
     "esbuild": "^0.21.3",
-    "escape-html": "^1.0.3",
     "execa": "^9.1.0",
     "fast-glob": "^3.3.2",
     "fs-extra": "^11.2.0",

src/client/app/utils.ts

@@ -13,7 +13,7 @@ import {
   type AsyncComponentLoader
 } from 'vue'
 
-export { inBrowser } from '../shared'
+export { inBrowser, escapeHtml as _escapeHtml } from '../shared'
 
 /**
  * Join two paths by resolving the slash collision.

src/client/index.ts

@@ -21,7 +21,8 @@ export {
   onContentUpdated,
   defineClientComponent,
   withBase,
-  getScrollOffset
+  getScrollOffset,
+  _escapeHtml
 } from './app/utils'
 
 // components

src/node/build/render.ts

@@ -1,13 +1,14 @@
 import { isBooleanAttr } from '@vue/shared'
-import escape from 'escape-html'
 import fs from 'fs-extra'
 import path from 'path'
 import { pathToFileURL } from 'url'
 import { normalizePath, transformWithEsbuild, type Rollup } from 'vite'
+import { version } from '../../../package.json'
 import type { SiteConfig } from '../config'
 import {
   EXTERNAL_URL_RE,
   createTitle,
+  escapeHtml,
   mergeHead,
   notFoundPageData,
   resolveSiteDataByRoute,
@@ -17,7 +18,6 @@ import {
   type PageData,
   type SSGContext
 } from '../shared'
-import { version } from '../../../package.json'
 
 export async function renderPage(
   render: (path: string) => Promise<SSGContext>,
@@ -163,7 +163,7 @@ export async function renderPage(
         ? ''
         : '<meta name="viewport" content="width=device-width,initial-scale=1">'
     }
-    <title>${escape(title)}</title>
+    <title>${escapeHtml(title)}</title>
     ${
       isDescriptionOverridden(head)
         ? ''
@@ -260,7 +260,7 @@ function renderAttrs(attrs: Record<string, string>): string {
   return Object.keys(attrs)
     .map((key) => {
       if (isBooleanAttr(key)) return ` ${key}`
-      return ` ${key}="${escape(attrs[key] as string)}"`
+      return ` ${key}="${escapeHtml(attrs[key] as string)}"`
     })
     .join('')
 }

src/node/markdown/plugins/restoreEntities.ts

@@ -1,6 +1,7 @@
 import type MarkdownIt from 'markdown-it'
 import type StateCore from 'markdown-it/lib/rules_core/state_core.mjs'
 import type Token from 'markdown-it/lib/token.mjs'
+import { escapeHtml } from '../../shared'
 
 export function restoreEntities(md: MarkdownIt): void {
   md.core.ruler.at('text_join', text_join)
@@ -47,7 +48,3 @@ function getContent(token: Token): string {
       ? '&'
       : token.content
 }
-
-function escapeHtml(str: string): string {
-  return str.replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;')
-}

src/shared/shared.ts

@@ -219,3 +219,14 @@ export function treatAsHtml(filename: string): boolean {
 export function escapeRegExp(str: string) {
   return str.replace(/[|\\{}()[\]^$+*?.]/g, '\\$&').replace(/-/g, '\\x2d')
 }
+
+/**
+ * @internal
+ */
+export function escapeHtml(str: string): string {
+  return str
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/&(?![\w#]+;)/g, '&amp;')
+}