fix: escape HTML in image, link, and media components

[sy-records]

Summary

escape HTML in image, link, and media components to prevent XSS vulnerabilities

Related issue, if any:

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no api changes)
• Build related changes
• Documentation content changes
• Other (please describe):

For any code change,

• Related documentation has been updated, if needed
• Related tests have been added or updated, if needed

Does this PR introduce a breaking change?

• Yes
• No

Tested in the following browsers:

• Chrome
• Firefox
• Safari
• Edge

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docsify-preview	Ready	Preview, Comment	Apr 9, 2026 9:06am

[paulhibbitts]

Thanks @sy-records , but I am not sure how to test this particular fix with codesandbox.

[paulhibbitts]

Ok @sy-records , I've been able to get a few types of tests going on a non-codesandbox instance:
https://paulhibbitts.github.io/docsify-v5-escaping-html-media/#/

Using the RC-4 files, a red background is produced on all three pages due to injection issues. However, once the build is changed to the PR preview no injection issues are seen. Hope this is of help.