From 68b70bce9a9c5ab6b9715ccd411bf80028a3798f Mon Sep 17 00:00:00 2001
From: phucnguyen1707 <phucnguyen17072001@gmail.com>
Date: Mon, 15 Jun 2026 10:25:59 +0700
Subject: [PATCH] Escape generated URL links

---
 src/lib/utils/url-link-converter.js      |  5 +++--
 src/lib/utils/url-link-converter.test.js | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 src/lib/utils/url-link-converter.test.js

diff --git a/src/lib/utils/url-link-converter.js b/src/lib/utils/url-link-converter.js
index 94cbe77e..cff1cc1b 100644
--- a/src/lib/utils/url-link-converter.js
+++ b/src/lib/utils/url-link-converter.js
@@ -64,7 +64,8 @@ export function convertUrlsToLinks(text) {
 
 		// Add the URL as a clickable link
 		const url = match[0];
-		result += `<a href="${url}" target="_blank" rel="noopener noreferrer">${url}</a>`;
+		const escapedUrl = escapeHtml(url);
+		result += `<a href="${escapedUrl}" target="_blank" rel="noopener noreferrer">${escapedUrl}</a>`;
 
 		lastIndex = httpsUrlRegex.lastIndex;
 	}
@@ -91,4 +92,4 @@ export function convertUrlsToLinks(text) {
 	});
 
 	return result;
-}
\ No newline at end of file
+}
diff --git a/src/lib/utils/url-link-converter.test.js b/src/lib/utils/url-link-converter.test.js
new file mode 100644
index 00000000..158ef8b8
--- /dev/null
+++ b/src/lib/utils/url-link-converter.test.js
@@ -0,0 +1,12 @@
+import { describe, expect, it } from 'vitest';
+
+import { convertUrlsToLinks } from './url-link-converter.js';
+
+describe('convertUrlsToLinks', () => {
+	it('escapes ampersands inside linked URLs', () => {
+		const html = convertUrlsToLinks('See https://example.com/search?a=1&b=2');
+
+		expect(html).toContain('href="https://example.com/search?a=1&amp;b=2"');
+		expect(html).toContain('>https://example.com/search?a=1&amp;b=2</a>');
+	});
+});