Shopify · cr7pt0gr4ph7 · Feb 22, 2024
diff --git a/lib/liquid/standardfilters.rb b/lib/liquid/standardfilters.rb
@@ -21,7 +21,7 @@ module StandardFilters
       '"' => '&quot;',
       "'" => '&#39;',
     }.freeze
-    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
     STRIP_HTML_BLOCKS       = Regexp.union(
       %r{<script.*?</script>}m,
       /<!--.*?-->/m,

diff --git a/test/integration/standard_filter_test.rb b/test/integration/standard_filter_test.rb
@@ -168,6 +168,8 @@ def test_h
 
   def test_escape_once
     assert_equal('&lt;strong&gt;Hulk&lt;/strong&gt;', @filters.escape_once('&lt;strong&gt;Hulk</strong>'))
+    assert_equal("1 &lt;&gt;&amp;&quot;&#39; 2 &amp; 3", @filters.escape_once('1 <>&"\' 2 &amp; 3'))
+    assert_equal(" &#X27; &#x27; &#x03BB; &#X03bb; &quot; &#39; &lt; &gt; ", @filters.escape_once(" &#X27; &#x27; &#x03BB; &#X03bb; \" ' < > "))
   end
 
   def test_base64_encode