From cf331eb3a6d006fb13acff5d3ce82c1eb5a09e15 Mon Sep 17 00:00:00 2001
From: Nolan Lawson <nlawson@salesforce.com>
Date: Wed, 8 Jan 2025 15:55:52 -0800
Subject: [PATCH] chore(ssr): use `htmlEscape` consistently

---
 packages/@lwc/ssr-runtime/src/render.ts | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/packages/@lwc/ssr-runtime/src/render.ts b/packages/@lwc/ssr-runtime/src/render.ts
index 514bce7444..97916d3bac 100644
--- a/packages/@lwc/ssr-runtime/src/render.ts
+++ b/packages/@lwc/ssr-runtime/src/render.ts
@@ -4,15 +4,19 @@
  * SPDX-License-Identifier: MIT
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
  */
-import { getOwnPropertyNames, isNull, isString, isUndefined, DEFAULT_SSR_MODE } from '@lwc/shared';
+import {
+    getOwnPropertyNames,
+    isNull,
+    isString,
+    isUndefined,
+    DEFAULT_SSR_MODE,
+    htmlEscape,
+} from '@lwc/shared';
 import { mutationTracker } from './mutation-tracker';
 import { SYMBOL__GENERATE_MARKUP } from './lightning-element';
 import type { LightningElement, LightningElementConstructor } from './lightning-element';
 import type { Attributes, Properties } from './types';
 
-const escapeAttrVal = (attrValue: string) =>
-    attrValue.replaceAll('&', '&amp;').replaceAll('"', '&quot;');
-
 function renderAttrsPrivate(
     instance: LightningElement,
     attrs: Attributes,
@@ -58,7 +62,8 @@ function renderAttrsPrivate(
             }
         }
 
-        result += attrValue === '' ? ` ${attrName}` : ` ${attrName}="${escapeAttrVal(attrValue)}"`;
+        result +=
+            attrValue === '' ? ` ${attrName}` : ` ${attrName}="${htmlEscape(attrValue, true)}"`;
     }
 
     // If we didn't render any `class` attribute, render one for the scope token(s)