Skip to content

fix(Typography): text is rendered as HTML tags when ellipsis is enabled#4117

Open
RylanBot wants to merge 5 commits intodevelopfrom
rylan/fix/text/truncate
Open

fix(Typography): text is rendered as HTML tags when ellipsis is enabled#4117
RylanBot wants to merge 5 commits intodevelopfrom
rylan/fix/text/truncate

Conversation

@RylanBot
Copy link
Collaborator

@RylanBot RylanBot commented Feb 3, 2026

🤔 这个 PR 的性质是?

  • 日常 bug 修复
  • 新特性提交
  • 文档改进
  • 演示代码改进
  • 组件样式/交互改进
  • CI/CD 改进
  • 重构
  • 代码风格优化
  • 测试用例
  • 分支合并
  • 其他

🔗 相关 Issue

💡 需求背景和解决方案

📝 更新日志

  • 本条 PR 不需要纳入 Changelog

tdesign-react

  • fix(Typography): 修复开启 ellipsis 时,字符串被渲染为 HTML 标签的问题

@tdesign-react/chat

☑️ 请求合并前的自查清单

⚠️ 请自检并全部勾选全部选项⚠️

  • 文档已补充或无须补充
  • 代码演示已提供或无须提供
  • TypeScript 定义已补充或无须补充
  • Changelog 已提供或无须提供

@tdesign-bot
Copy link
Collaborator

tdesign-bot commented Feb 3, 2026

TDesign Component Site Preview Open

Component Preview
tdesign-react 完成
@tdesign-react/chat 完成

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 5, 2026

  • tdesign-react-demo

    npm i https://pkg.pr.new/Tencent/tdesign-react@4117
    
    npm i https://pkg.pr.new/Tencent/tdesign-react/@tdesign-react/chat@4117
    

commit: b130d8d

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to fix a security issue where HTML strings passed as children to Typography components with ellipsis enabled were being rendered as actual HTML elements instead of plain text. The fix adds an escapeHtml function that escapes HTML entities before processing the content for truncation.

Changes:

  • Added escapeHtml method to sanitize HTML content before truncation processing
  • Modified innerText method to escape HTML from node.innerHTML before further processing
  • Addresses XSS vulnerability where user-provided HTML strings could be executed

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@RylanBot RylanBot force-pushed the rylan/fix/text/truncate branch from 03cc928 to b130d8d Compare February 25, 2026 07:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants