From b4d2b7418d8c94fc0ba46874d86f2878a97c142e Mon Sep 17 00:00:00 2001
From: Ricardo <rick@rmendes.net>
Date: Tue, 24 Feb 2026 14:20:55 +0100
Subject: [PATCH] fix: decode HTML entities in feed titles to prevent literal
 display

Feedparser passes through HTML entities (&#8220;, &#8217;, etc.) as
literal strings in item titles. Nunjucks auto-escaping then double-encodes
them, causing entities to render literally in the reader UI.

Apply sanitizeHtml with no allowed tags to decode entities in title fields
across RSS/Atom, JSON Feed, and feed metadata normalizers.
---
 lib/feeds/normalizer.js | 16 ++++++++++++----
 package.json            |  2 +-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/lib/feeds/normalizer.js b/lib/feeds/normalizer.js
index 596bf74..ffd87e2 100644
--- a/lib/feeds/normalizer.js
+++ b/lib/feeds/normalizer.js
@@ -150,7 +150,9 @@ export function normalizeItem(item, feedUrl, feedType) {
     type: "entry",
     uid,
     url,
-    name: item.title || undefined,
+    name: item.title
+      ? sanitizeHtml(item.title, { allowedTags: [] }).trim()
+      : undefined,
     published: toISOStringSafe(item.pubdate),
     updated: toISOStringSafe(item.date),
     _source: {
@@ -241,7 +243,9 @@ export function normalizeItem(item, feedUrl, feedType) {
  */
 export function normalizeFeedMeta(meta, feedUrl) {
   const normalized = {
-    name: meta.title || feedUrl,
+    name: meta.title
+      ? sanitizeHtml(meta.title, { allowedTags: [] }).trim()
+      : feedUrl,
   };
 
   if (meta.description) {
@@ -303,7 +307,9 @@ export function normalizeJsonFeedItem(item, feedUrl) {
     type: "entry",
     uid,
     url,
-    name: item.title || undefined,
+    name: item.title
+      ? sanitizeHtml(item.title, { allowedTags: [] }).trim()
+      : undefined,
     published: item.date_published
       ? new Date(item.date_published).toISOString()
       : undefined,
@@ -400,7 +406,9 @@ export function normalizeJsonFeedItem(item, feedUrl) {
  */
 export function normalizeJsonFeedMeta(feed, feedUrl) {
   const normalized = {
-    name: feed.title || feedUrl,
+    name: feed.title
+      ? sanitizeHtml(feed.title, { allowedTags: [] }).trim()
+      : feedUrl,
   };
 
   if (feed.description) {
diff --git a/package.json b/package.json
index 1a1fb9b..da64cd1 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-microsub",
-  "version": "1.0.33",
+  "version": "1.0.34",
   "description": "Microsub endpoint for Indiekit. Enables subscribing to feeds and reading content using the Microsub protocol.",
   "keywords": [
     "indiekit",