From 88b1df4ba4c1d79eb4193a4a1eb53b4d29d34318 Mon Sep 17 00:00:00 2001
From: Justin Beckwith <jbeckwith@openai.com>
Date: Mon, 13 Apr 2026 13:27:06 -0700
Subject: [PATCH] fix(promptfoo): decode Burp XML entities in safe order

---
 .../src/parsers/burp-entities.test.ts         | 23 +++++++++++++++++++
 plugins/promptfoo/src/parsers/burp.ts         |  4 ++--
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 plugins/promptfoo/src/parsers/burp-entities.test.ts

diff --git a/plugins/promptfoo/src/parsers/burp-entities.test.ts b/plugins/promptfoo/src/parsers/burp-entities.test.ts
new file mode 100644
index 0000000..cb11249
--- /dev/null
+++ b/plugins/promptfoo/src/parsers/burp-entities.test.ts
@@ -0,0 +1,23 @@
+import { describe, expect, it } from 'vitest';
+
+import { parseBurpSingle } from './burp.js';
+
+describe('parseBurpSingle XML entity decoding', () => {
+  it('decodes ampersands after other entities', () => {
+    const parsed = parseBurpSingle(`
+      <items>
+        <item>
+          <url>https://example.com/search?note=&amp;quot;</url>
+          <host>example.com</host>
+          <port>443</port>
+          <protocol>https</protocol>
+          <method>GET</method>
+          <path>/search?note=&amp;quot;</path>
+          <request></request>
+        </item>
+      </items>
+    `);
+
+    expect(parsed.raw).toContain('note=&quot;');
+  });
+});
diff --git a/plugins/promptfoo/src/parsers/burp.ts b/plugins/promptfoo/src/parsers/burp.ts
index b3c9a27..96eaba2 100644
--- a/plugins/promptfoo/src/parsers/burp.ts
+++ b/plugins/promptfoo/src/parsers/burp.ts
@@ -122,9 +122,9 @@ function decodeXmlEntities(str: string): string {
   return str
     .replace(/&lt;/g, '<')
     .replace(/&gt;/g, '>')
-    .replace(/&amp;/g, '&')
     .replace(/&quot;/g, '"')
-    .replace(/&apos;/g, "'");
+    .replace(/&apos;/g, "'")
+    .replace(/&amp;/g, '&');
 }
 
 /**