fix: preserve HTML comments in MCP comment output by unescaping \!#1028
Open
shivama205 wants to merge 4 commits intoanthropics:mainfrom
Open
fix: preserve HTML comments in MCP comment output by unescaping \!#1028shivama205 wants to merge 4 commits intoanthropics:mainfrom
shivama205 wants to merge 4 commits intoanthropics:mainfrom
Conversation
The MCP comment servers used sanitizeContent() (designed for input sanitization) on outgoing comment bodies, which stripped HTML comments entirely. Additionally, upstream escaping of ! to \! made <!-- markers render as visible <\!-- text in GitHub comments. Add sanitizeOutputContent() for output paths that: - Unescapes \! back to ! so HTML comments render correctly - Preserves HTML comments (no stripHtmlComments) - Still redacts GitHub tokens and strips invisible characters Fixes anthropics#971 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Narrow unescaping from global \! → ! to only <\!-- → <!-- so that \! inside code blocks (e.g. bash history expansion) is preserved unchanged. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prevents unclosed <\!-- from becoming <!-- which would eat the rest of the page. Also adds tests for unclosed comments, multiline comments, adjacent comments, and \! inside code blocks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shivama205
force-pushed
the
fix/mcp-comment-html-exclamation-escape
branch
from
c482d71 to
f291a23
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #971
github-comment-server,github-inline-comment-server) usedsanitizeContent()on outgoing comment bodies. This function is designed for input sanitization (stripping hidden content from user comments to prevent prompt injection), but when applied to output, it stripped all HTML comments.!in<!-- -->gets escaped to\!upstream, producing<\!--which isn't valid HTML comment syntax and renders as visible text on GitHub.sanitizeOutputContent()specifically for outgoing comment bodies that:<\!--→<!--(only when a matching-->exists, to prevent unclosed comments from eating page content)stripHtmlComments)sanitizeOutputContent()instead ofsanitizeContent()sanitizeContent()remains unchanged for input sanitization pathsEdge cases tested
<!-- ghp_xxx -->) — still redacted\\!— not over-unescaped, stays as\\!\!inside fenced code blocks (e.g. bash\!42) — preserved, not mangled<\!--with no matching-->— left escaped to prevent eating rest of pageTest plan
bun run typecheck— cleanbun run format:check— clean