Decode the small set of HTML entities that Markdown authors (and
upstream generators) occasionally pre-encode inside fenced mermaid
blocks — typically & for & in political-group labels like
S&D or Greens/EFA. Without this decode step, the subsequent
escapeHtml pass would re-escape & to & and emit
S&D into the rendered HTML, which the Mermaid client
library then renders verbatim instead of as S&D.
Uses indexOf/split/join exclusively (no RegExp) to stay
within CodeQL's safe-regex envelope. Only the canonical entity
forms are decoded — anything more exotic (e.g. &) is left
alone so we never accidentally swallow a literal that the author
intended to keep encoded.
Parameters
content: string
Raw fenced-block content (post-sanitizeMermaidQuadrantChart)
Returns string
Content with pre-encoded HTML entities normalised back to
their literal characters, ready for a single escapeHtml.
Decode the small set of HTML entities that Markdown authors (and upstream generators) occasionally pre-encode inside fenced mermaid blocks — typically & for & in political-group labels like S&D or Greens/EFA. Without this decode step, the subsequent escapeHtml pass would re-escape & to & and emit S&D into the rendered HTML, which the Mermaid client library then renders verbatim instead of as S&D.
Uses indexOf/split/join exclusively (no RegExp) to stay within CodeQL's safe-regex envelope. Only the canonical entity forms are decoded — anything more exotic (e.g. &) is left alone so we never accidentally swallow a literal that the author intended to keep encoded.