fix(sanitize): preserve angle brackets inside code blocks and inline code#2408
Open
blackwell-systems wants to merge 1 commit intogithub:mainfrom
Open
fix(sanitize): preserve angle brackets inside code blocks and inline code#2408blackwell-systems wants to merge 1 commit intogithub:mainfrom
blackwell-systems wants to merge 1 commit intogithub:mainfrom
Conversation
…code bluemonday's StrictPolicy treats angle brackets inside markdown code blocks and inline code spans as HTML tags and strips them. This causes content like `mut_raw_ptr<int>` to become `mut_raw_ptr` when read through MCP issue/PR endpoints. The fix protects angle brackets inside fenced code blocks (```) and inline code spans (`) with sentinels before HTML sanitization, then restores them after. Angle brackets outside code are still sanitized normally, preserving XSS protection. Fixes github#2202 Signed-off-by: Dayna Blackwell <dayna@blackwell-systems.com>
blackwell-systems
force-pushed
the
fix-angle-brackets-in-code-blocks
branch
from
3722fe4 to
680c63b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
bluemonday.StrictPolicy()treats angle brackets inside markdown code blocks and inline code spans as HTML tags and strips them. This causes content likemut_raw_ptr<int>in issue/PR bodies to becomemut_raw_ptrwhen read through MCP endpoints.Before
Agent sees:
let ptr: mut_raw_ptr = raw_new int;After
Agent sees:
let ptr: mut_raw_ptr<int> = raw_new int;Root cause
FilterHTMLTagscallsbluemonday.Sanitize()on the entire markdown body without distinguishing code from prose. Bluemonday treats<int>,<T>,<String>, etc. as unrecognized HTML tags and removes them.Fix
Before HTML sanitization, replace
<and>inside fenced code blocks (```) and inline code spans (`) with null-byte sentinels that bluemonday will not interpret as HTML. After sanitization, restore the sentinels to angle brackets.This preserves XSS protection for angle brackets in prose (e.g.
<script>is still stripped) while keeping angle brackets inside code intact.Testing
Added 6 test cases covering:
Vec<String>)Fixes #2202