From c02a4746f5dba85af38eb98342eb29d6c3c03484 Mon Sep 17 00:00:00 2001
From: Brent Cordis <994259+bcordis@users.noreply.github.com>
Date: Thu, 19 Mar 2026 07:28:57 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 51: Double escaping
 or unescaping

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Brent Cordis <994259+bcordis@users.noreply.github.com>
---
 build/media_source/js/message-wizard.es6.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/build/media_source/js/message-wizard.es6.js b/build/media_source/js/message-wizard.es6.js
index 70654d2e8..d99931400 100644
--- a/build/media_source/js/message-wizard.es6.js
+++ b/build/media_source/js/message-wizard.es6.js
@@ -183,10 +183,16 @@ document.addEventListener('DOMContentLoaded', () => {
 
         // Strip HTML tags for preview using regex (no DOM parsing needed)
         let introPreview = introText.replace(/<[^>]*>/g, '');
-        // Decode common HTML entities
-        introPreview = introPreview.replace(/&amp;/g, '&').replace(/&lt;/g, '<')
-            .replace(/&gt;/g, '>').replace(/&quot;/g, '"').replace(/&#039;/g, "'")
-            .replace(/&nbsp;/g, ' ');
+
+        // Decode HTML entities using DOM to avoid double-unescaping issues
+        const decodeHtml = (str) => {
+            const d = document.createElement('textarea');
+            d.innerHTML = str;
+
+            return d.value;
+        };
+
+        introPreview = decodeHtml(introPreview);
         introPreview = introPreview.substring(0, 200);
 
         const escHtml = (str) => {