Skip to content

fix: escape angle brackets in drive comment text#632

Merged
liangshuo-1 merged 1 commit intomainfrom
fix/drive-comment-escape-angle-brackets
Apr 23, 2026
Merged

fix: escape angle brackets in drive comment text#632
liangshuo-1 merged 1 commit intomainfrom
fix/drive-comment-escape-angle-brackets

Conversation

@wittam-01
Copy link
Copy Markdown
Collaborator

@wittam-01 wittam-01 commented Apr 23, 2026

Summary

Fix drive comment text handling so < and > are safely escaped before comment creation, preventing invalid comment/reply content payloads.

Changes

  • Added lark-drive skill guidance documenting that comment, reply, and reply-edit text must escape < as < and > as >.
  • Added drive +add-comment fallback escaping for type=text reply elements.
  • Added unit coverage for angle bracket escaping in comment text parsing.

Test Plan

  • Unit tests pass: go test ./shortcuts/drive
  • Manual local verification confirms the lark xxx command works as expected

Related Issues

  • None

Summary by CodeRabbit

  • Bug Fixes

    • Comments and replies with angle brackets (< and >) are now automatically escaped to prevent display issues and formatting errors.
  • Tests

    • Added test coverage verifying proper escaping of special characters in comment text elements.
  • Documentation

    • Updated documentation to clarify text content handling requirements for comments, replies, and edits.

Change-Id: I25d05412bd0a2a9e32a517b1344533ad70cb072b
@github-actions github-actions Bot added domain/ccm PR touches the ccm domain size/L Large or sensitive change across domains or core paths labels Apr 23, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 23, 2026

📝 Walkthrough

Walkthrough

The changes implement HTML entity escaping for angle bracket characters (< and >) in text-based comment reply elements, preventing potential markup interpretation issues. A helper function is introduced, test coverage is added, and documentation is updated to clarify the escaping behavior.

Changes

Cohort / File(s) Summary
Production Code
shortcuts/drive/drive_add_comment.go
Introduces escapeCommentText helper function to replace < and > with HTML entities (&lt; and &gt;); applied to "text" reply element types before request payload submission.
Test Coverage
shortcuts/drive/drive_add_comment_test.go
Adds TestParseCommentReplyElementsEscapesAngleBrackets unit test verifying that text elements containing angle brackets are properly escaped in parsed output.
Documentation
skills/lark-drive/SKILL.md, skills/lark-drive/references/lark-drive-add-comment.md
Updates documentation to specify that type=text content must have raw </> characters escaped to &lt;/&gt;, noting that the shortcut automatically applies this escaping as a fallback mechanism.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Where comments dance with angle brackets bright,
A safety spell makes everything right!
&lt; and &gt; guard each text so dear,
No broken markup shall appear—
The shortcut bunny keeps it clear! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely describes the main change: escaping angle brackets in drive comment text to prevent invalid payloads.
Description check ✅ Passed The description covers all required sections: Summary, Changes, Test Plan, and Related Issues, with sufficient detail about the motivation and implementation.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/drive-comment-escape-angle-brackets

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
shortcuts/drive/drive_add_comment.go (1)

562-568: ⚠️ Potential issue | 🟡 Minor

Length validation runs against pre-escape text.

The 1000-char limit is enforced on input.Text before escapeCommentText is applied. Since <&lt; and >&gt; quadruple the character count for those runes, a payload accepted here can exceed 1000 characters after escaping, potentially hitting the upstream comment length limit. Consider validating against the escaped form (or documenting that 1000 refers to pre-escape length).

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@shortcuts/drive/drive_add_comment.go` around lines 562 - 568, Validate the
comment length against the escaped text instead of the raw input: call
escapeCommentText(input.Text) first, then check utf8.RuneCountInString on the
escaped result and return output.ErrValidation("--content element #%d text
exceeds 1000 characters", index) if that exceeds 1000; update the code around
the replyElements append (where escapeCommentText and input.Text are used) so
the same escaped value is appended to replyElements to avoid double-escaping or
inconsistent checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@shortcuts/drive/drive_add_comment.go`:
- Around line 562-568: Validate the comment length against the escaped text
instead of the raw input: call escapeCommentText(input.Text) first, then check
utf8.RuneCountInString on the escaped result and return
output.ErrValidation("--content element #%d text exceeds 1000 characters",
index) if that exceeds 1000; update the code around the replyElements append
(where escapeCommentText and input.Text are used) so the same escaped value is
appended to replyElements to avoid double-escaping or inconsistent checks.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f84382a2-b712-4b12-a478-6fc7d0d01f8a

📥 Commits

Reviewing files that changed from the base of the PR and between c7ced37 and d81456d.

📒 Files selected for processing (4)
  • shortcuts/drive/drive_add_comment.go
  • shortcuts/drive/drive_add_comment_test.go
  • skills/lark-drive/SKILL.md
  • skills/lark-drive/references/lark-drive-add-comment.md

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 23, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.38%. Comparing base (81d22c6) to head (d81456d).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #632      +/-   ##
==========================================
+ Coverage   60.20%   60.38%   +0.18%     
==========================================
  Files         407      408       +1     
  Lines       43340    43417      +77     
==========================================
+ Hits        26091    26216     +125     
+ Misses      15221    15159      -62     
- Partials     2028     2042      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@d81456d9c1850edd7e0084a166f2b411041c75fa

🧩 Skill update

npx skills add larksuite/cli#fix/drive-comment-escape-angle-brackets -y -g

@liangshuo-1 liangshuo-1 merged commit 10f1f2e into main Apr 23, 2026
36 of 42 checks passed
@liangshuo-1 liangshuo-1 deleted the fix/drive-comment-escape-angle-brackets branch April 23, 2026 10:06
@liangshuo-1 liangshuo-1 mentioned this pull request Apr 23, 2026
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

domain/ccm PR touches the ccm domain size/L Large or sensitive change across domains or core paths

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants