From fe42518489e917745a7eb84ada2f50d60fd18ee7 Mon Sep 17 00:00:00 2001
From: Chris Zuber <shgysk8zer0@gmail.com>
Date: Mon, 5 Jan 2026 17:11:23 -0800
Subject: [PATCH] Fix handling escaping arrays in trusted html

---
 CHANGELOG.md         | 5 +++++
 package-lock.json    | 4 ++--
 package.json         | 2 +-
 trusted-html.js      | 8 +++++++-
 trusted-html.test.js | 2 +-
 5 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8f843d5..b7d6a38 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.0.4] - 2026-01-05
+
+### Fixed
+- Fix handling escaping arrays in trusted html
+
 ## [v1.0.3] - 2026-01-05
 
 ### Fixed
diff --git a/package-lock.json b/package-lock.json
index 88c9e4f..3c958d5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@aegisjsproject/escape",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "@aegisjsproject/escape",
-      "version": "1.0.3",
+      "version": "1.0.4",
       "funding": [
         {
           "type": "librepay",
diff --git a/package.json b/package.json
index 9a59166..4c6d3d8 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@aegisjsproject/escape",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "String escaping utilities for HTML and DOM attributes.",
   "keywords": [
     "security",
diff --git a/trusted-html.js b/trusted-html.js
index 69abf55..0a8992e 100644
--- a/trusted-html.js
+++ b/trusted-html.js
@@ -35,6 +35,12 @@ export function html(strings, ...values) {
 			? strings.map(input => isTrustedHTML(input) ? input : escapeHTML(input)).join('')
 			: escapeHTML(strings));
 	} else {
-		return policy.createHTML(String.raw(strings, ...values.map(val => isTrustedHTML(val) ? val : escapeHTML(val))));
+		return policy.createHTML(String.raw(
+			strings,
+			...values.map(val => Array.isArray(val)
+				? val.flatMap(v => isTrustedHTML(v) ? v : escapeHTML(v)).join('')
+				: isTrustedHTML(val) ? val : escapeHTML(val)
+			)
+		));
 	}
 }
diff --git a/trusted-html.test.js b/trusted-html.test.js
index 1f9c11a..6e028e0 100644
--- a/trusted-html.test.js
+++ b/trusted-html.test.js
@@ -20,7 +20,7 @@ describe('Trusted HTML Policy (Node/Fallback Mode)', () => {
 		const items = ['<br>', '<b>bold</b>'];
 		const result = html`Items: ${items}`;
 
-		assert.strictEqual(result.toString(), 'Items: &lt;br&gt;,&lt;b&gt;bold&lt;/b&gt;');
+		assert.strictEqual(result.toString(), 'Items: &lt;br&gt;&lt;b&gt;bold&lt;/b&gt;');
 	});
 
 	test('Security: enforces Double Escaping in fallback mode', () => {