test: add escapeHtml tests covering XSS vectors

Verify that HTML special characters and malicious tag payloads like
attribute-breaking injections are properly escaped.

Author: fengmk2

routes/index.ts

@@ -91,7 +91,7 @@ async function getRelease(tag: string | undefined): Promise<CachedRelease | null
   return kv.get<CachedRelease>(LATEST_STALE_KEY);
 }
 
-function escapeHtml(s: string): string {
+export function escapeHtml(s: string): string {
   return s
     .replace(/&/g, "&amp;")
     .replace(/"/g, "&quot;")

tests/index.test.ts

@@ -1,5 +1,5 @@
 import { describe, expect, it } from "vite-plus/test";
-import { buildReleaseFromTag, detectArch } from "../routes/index";
+import { buildReleaseFromTag, detectArch, escapeHtml } from "../routes/index";
 
 describe("detectArch", () => {
   it("defaults to x64 when no query param or user-agent", () => {
@@ -64,6 +64,26 @@ describe("detectArch", () => {
   });
 });
 
+describe("escapeHtml", () => {
+  it("escapes HTML special characters", () => {
+    expect(escapeHtml('<script>alert("xss")</script>')).toBe(
+      "&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;",
+    );
+  });
+
+  it("escapes ampersands", () => {
+    expect(escapeHtml("a&b")).toBe("a&amp;b");
+  });
+
+  it("escapes a malicious tag used in attribute context", () => {
+    const malicious = 'x"><img src=x onerror=alert(1)>';
+    const escaped = escapeHtml(malicious);
+    expect(escaped).not.toContain("<");
+    expect(escaped).not.toContain(">");
+    expect(escaped).not.toContain('"');
+  });
+});
+
 describe("buildReleaseFromTag", () => {
   it("constructs download URLs from a tag", () => {
     const result = buildReleaseFromTag("v0.1.17-alpha.0");