[Bug]: CodeLine component uses dangerouslySetInnerHTML without HTML entity escaping — breaks display for JSX/typed code

[nyxsky404]

Short summary

modules/home/code-line.tsx uses dangerouslySetInnerHTML to inject syntax-highlighting <span> tags, but never escapes HTML special characters (<, >, &) in the input first. Any code line containing angle brackets (TypeScript generics, JSX, comparison operators) will render as broken or corrupted HTML. The component itself has an internal TODO comment acknowledging it should be replaced with a proper library.

Steps to reproduce

1. Open modules/home/hero-code.tsx
2. Add a line containing angle brackets to codeSnippet, for example:

const codeSnippet = `...
const elements: Array<string> = [];
const isSmaller = a < b;
return <div>Hello</div>;
`;

3. Run the dev server and visit the homepage (/)
4. Observe the "code demo" card

Expected behavior

The code lines should render as readable, syntax-highlighted text. Angle brackets and HTML-special characters should be displayed as literal characters.

Actual behavior

• Array<string> → the <string> part is parsed as an HTML element and disappears from the DOM
• a < b → < b opens a malformed HTML tag, corrupting everything that follows
• <div>Hello</div> → renders as a real DOM <div> inside the code block

The highlightCode function in code-line.tsx (lines 24–30) does string replacements that produce raw HTML, then passes the result directly to dangerouslySetInnerHTML without escaping entities first:

// modules/home/code-line.tsx:24-30
const highlightCode = (code: string) => {
    return code
        .replace(/import|from|export|.../g, '<span class="text-red-500...">$&</span>')
        .replace(/'[^']*'/g, '<span class="text-amber-600...">$&</span>')
        // ...  no HTML entity escaping anywhere
}

// line 21
return <span dangerouslySetInnerHTML={{ __html: highlightCode(highlighted) }} />;

The component even has a self-aware comment at lines 6-8:

// Note: This is a very simplistic implementation and should be replaced with a proper library like prismjs or shiki in production

Affected area

Other

Environment

All browsers, all OSes. Reproducible locally by editing hero-code.tsx to include any JSX or generic TypeScript in codeSnippet. The current hardcoded snippet happens to avoid angle brackets, which is why this hasn't surfaced yet — but it's a latent bug waiting to break the homepage.

Root cause:

// Should escape entities BEFORE injecting spans:
const escapeHtml = (str: string) =>
  str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");

const highlightCode = (code: string) => {
  const safe = escapeHtml(code);  // escape first
  return safe.replace(/import|from|.../g, '<span ...>$&</span>');
};

Better long-term fix (as the existing TODO suggests): replace the entire CodeLine component with shiki or prism-react-renderer, both of which handle escaping correctly and provide real language-aware tokenization.

Screenshots, logs, or recordings

Affected file: modules/home/code-line.tsx lines 24–39
Consumer: modules/home/hero-code.tsx lines 72–79

Confirmation

• I searched existing issues before opening this report.
• I included enough detail for reproduction.

[github-actions]

👋 Thanks for opening an issue, @nyxsky404!

Our maintainers will review this issue shortly 🚀

---

📘 Before Contributing

Please read the contribution guide carefully before requesting assignment:

👉 https://github.com/piyushdotcomm/Editron/blob/main/CONTRIBUTING.md

---

🏷️ NSoC'26 / GSSoC'26 Requirement

Please clearly mention whether you are contributing via:

• NSoC'26
• GSSoC'26
• or as a regular contributor

Example: I am contributing under GSSoC'26

⚠️ Assignment requests without this information may be rejected automatically.

---

⏳ GSSoC Assignment Restriction

GSSoC contributors will only be allowed to take issue assignments after:

🗓️ May 15th, 12:00 AM IST

Before that date, assignment requests from GSSoC contributors will be automatically blocked.

---

🤖 Assignment System

To request assignment, comment: /assign or assign me

The smart assignment workflow validates:

• contributor eligibility
• NSoC/GSSoC participation mention
• active issue assignment limits
• repository contribution rules

---

⚠️ Important Repository Rules

• Do not start working before assignment
• Maximum 3 active assigned issues per contributor
• Contributors are encouraged to combine related fixes into 1–2 quality PRs instead of many small PRs
• PRs without assignment may be closed
• Spam or low-quality PRs may be rejected

Happy contributing 🎉

[nyxsky404]

/assign gssoc

[github-actions]

✅ Assigned @nyxsky404

🏷️ Program: gssoc26

📌 You now have 1 active assignment(s).
Please work on meaningful contributions and avoid opening many tiny PRs.

🏷️ Auto-detected difficulty: level:intermediate. A maintainer may update this.

[narutamaaurum]

This issue is fixed in PR #481. The fix implements HTML entity escaping with a placeholder approach to preserve the span tags while properly escaping angle brackets, ampersands, and quotes in the input code before injecting via dangerouslySetInnerHTML.

[github-actions]

⚠️ Maintainer Ping Warning

Hi @narutamaaurum,

Please avoid repeatedly pinging maintainers for assignment, review, or merge requests.

Reviews and assignments are handled in queue order. Excessive pinging may lead to spam labeling and restrictions.

Recommended wait times:

• Assignment: 12–24 hours
• Review: 24–72 hours