Fix handling escaping arrays in trusted html

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.0.4] - 2026-01-05
+
+### Fixed
+- Fix handling escaping arrays in trusted html
+
 ## [v1.0.3] - 2026-01-05
 
 ### Fixed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aegisjsproject/escape",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "String escaping utilities for HTML and DOM attributes.",
   "keywords": [
     "security",

trusted-html.js

@@ -35,6 +35,12 @@ export function html(strings, ...values) {
 			? strings.map(input => isTrustedHTML(input) ? input : escapeHTML(input)).join('')
 			: escapeHTML(strings));
 	} else {
-		return policy.createHTML(String.raw(strings, ...values.map(val => isTrustedHTML(val) ? val : escapeHTML(val))));
+		return policy.createHTML(String.raw(
+			strings,
+			...values.map(val => Array.isArray(val)
+				? val.flatMap(v => isTrustedHTML(v) ? v : escapeHTML(v)).join('')
+				: isTrustedHTML(val) ? val : escapeHTML(val)
+			)
+		));
 	}
 }

trusted-html.test.js

@@ -20,7 +20,7 @@ describe('Trusted HTML Policy (Node/Fallback Mode)', () => {
 		const items = ['<br>', '<b>bold</b>'];
 		const result = html`Items: ${items}`;
 
-		assert.strictEqual(result.toString(), 'Items: &lt;br&gt;,&lt;b&gt;bold&lt;/b&gt;');
+		assert.strictEqual(result.toString(), 'Items: &lt;br&gt;&lt;b&gt;bold&lt;/b&gt;');
 	});
 
 	test('Security: enforces Double Escaping in fallback mode', () => {