diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8f843d5..b7d6a38 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+## [v1.0.4] - 2026-01-05
+
+### Fixed
+- Fix handling escaping arrays in trusted html
+
## [v1.0.3] - 2026-01-05
### Fixed
diff --git a/package-lock.json b/package-lock.json
index 88c9e4f..3c958d5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
{
"name": "@aegisjsproject/escape",
- "version": "1.0.3",
+ "version": "1.0.4",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "@aegisjsproject/escape",
- "version": "1.0.3",
+ "version": "1.0.4",
"funding": [
{
"type": "librepay",
diff --git a/package.json b/package.json
index 9a59166..4c6d3d8 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "@aegisjsproject/escape",
- "version": "1.0.3",
+ "version": "1.0.4",
"description": "String escaping utilities for HTML and DOM attributes.",
"keywords": [
"security",
diff --git a/trusted-html.js b/trusted-html.js
index 69abf55..0a8992e 100644
--- a/trusted-html.js
+++ b/trusted-html.js
@@ -35,6 +35,12 @@ export function html(strings, ...values) {
? strings.map(input => isTrustedHTML(input) ? input : escapeHTML(input)).join('')
: escapeHTML(strings));
} else {
- return policy.createHTML(String.raw(strings, ...values.map(val => isTrustedHTML(val) ? val : escapeHTML(val))));
+ return policy.createHTML(String.raw(
+ strings,
+ ...values.map(val => Array.isArray(val)
+ ? val.flatMap(v => isTrustedHTML(v) ? v : escapeHTML(v)).join('')
+ : isTrustedHTML(val) ? val : escapeHTML(val)
+ )
+ ));
}
}
diff --git a/trusted-html.test.js b/trusted-html.test.js
index 1f9c11a..6e028e0 100644
--- a/trusted-html.test.js
+++ b/trusted-html.test.js
@@ -20,7 +20,7 @@ describe('Trusted HTML Policy (Node/Fallback Mode)', () => {
const items = ['
', 'bold'];
const result = html`Items: ${items}`;
- assert.strictEqual(result.toString(), 'Items: <br>,<b>bold</b>');
+ assert.strictEqual(result.toString(), 'Items: <br><b>bold</b>');
});
test('Security: enforces Double Escaping in fallback mode', () => {