Skip to content

Serializer / Deserializer does not properly handle span marks  #82

New issue
New issue
Open
Open
Serializer / Deserializer does not properly handle span marks #82
@brian-lou

Description

@brian-lou
brian-lou
opened on Sep 23, 2025

If you find a security vulnerability, do NOT open an issue. Email security@sanity.io instead.

Describe the bug

When using the serializer to serialize documents with marks, such as in-line lines, this information is not encoded into the HTML. Subsquently, the deserializer improperly parses the HTML & corrupts the mark information.

To Reproduce

Steps to reproduce the behavior:

  1. Use the serializer on some document with in-line links.
  2. View the serialized html. It will contain something like: <p id="94e9e54cb1ad">This is a link to another post: <a href="">Link</a></p>.
  3. Try to deserialize the html document. The final deserialized document will contain corrupted markDefs.

Expected behavior

The serialized HTML should contain information about the marks, and deserializing the HTML should yield valid markDefs .

Screenshots
If applicable, add screenshots to help explain your problem.

Which versions of Sanity are you using?

@sanity/cli (global) 4.9.0 (up to date)
@sanity/assist 4.4.8 (latest: 5.0.0)
@sanity/code-input 5.2.1 (latest: 6.0.1)
@sanity/document-internationalization 4.0.0 (up to date)
@sanity/eslint-config-studio 5.0.2 (up to date)
@sanity/icons 3.7.4 (up to date)
@sanity/table 1.1.4 (latest: 2.0.0)
@sanity/vision 3.99.0 (latest: 4.9.0)
sanity 3.99.0 (latest: 4.9.0)

What operating system are you using? Macos

Which versions of Node.js / npm are you running?

24.6.0

Additional context

Add any other context about the problem here.

Security issue?

Any security issues should be submitted directly to security@sanity.io. In order to determine whether you are dealing with a security issue, ask yourself these two questions:

  • Can I access something that's not mine, or something I shouldn't have access to?
  • Can I disable something for other people? If the answer to either of those two questions are "yes", then you're probably dealing with a security issue. Note that even if you answer "no" to both questions, you may still be dealing with a security issue, so if you're unsure, just email us at [security@sanity.io](mailto:security@sanity.io.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions