fix: escape angle brackets in drive comment text

[wittam-01]

Summary

Fix drive comment text handling so < and > are safely escaped before comment creation, preventing invalid comment/reply content payloads.

Changes

• Added lark-drive skill guidance documenting that comment, reply, and reply-edit text must escape < as < and > as >.
• Added drive +add-comment fallback escaping for type=text reply elements.
• Added unit coverage for angle bracket escaping in comment text parsing.

Test Plan

• Unit tests pass: go test ./shortcuts/drive
• Manual local verification confirms the lark xxx command works as expected

Related Issues

• None

Summary by CodeRabbit

• Bug Fixes

  • Comments and replies with angle brackets (< and >) are now automatically escaped to prevent display issues and formatting errors.

• Tests

  • Added test coverage verifying proper escaping of special characters in comment text elements.

• Documentation

  • Updated documentation to clarify text content handling requirements for comments, replies, and edits.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes implement HTML entity escaping for angle bracket characters (< and >) in text-based comment reply elements, preventing potential markup interpretation issues. A helper function is introduced, test coverage is added, and documentation is updated to clarify the escaping behavior.

Changes

Cohort / File(s)	Summary
Production Code shortcuts/drive/drive_add_comment.go	Introduces escapeCommentText helper function to replace < and > with HTML entities (&lt; and &gt;); applied to "text" reply element types before request payload submission.
Test Coverage shortcuts/drive/drive_add_comment_test.go	Adds TestParseCommentReplyElementsEscapesAngleBrackets unit test verifying that text elements containing angle brackets are properly escaped in parsed output.
Documentation skills/lark-drive/SKILL.md, skills/lark-drive/references/lark-drive-add-comment.md	Updates documentation to specify that type=text content must have raw </> characters escaped to &lt;/&gt;, noting that the shortcut automatically applies this escaping as a fallback mechanism.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Where comments dance with angle brackets bright,
A safety spell makes everything right!
< and > guard each text so dear,
No broken markup shall appear—
The shortcut bunny keeps it clear! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: escaping angle brackets in drive comment text to prevent invalid payloads.
Description check	✅ Passed	The description covers all required sections: Summary, Changes, Test Plan, and Related Issues, with sufficient detail about the motivation and implementation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/drive-comment-escape-angle-brackets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

shortcuts/drive/drive_add_comment.go (1)

562-568: ⚠️ Potential issue | 🟡 Minor

Length validation runs against pre-escape text.

The 1000-char limit is enforced on input.Text before escapeCommentText is applied. Since <→< and >→> quadruple the character count for those runes, a payload accepted here can exceed 1000 characters after escaping, potentially hitting the upstream comment length limit. Consider validating against the escaped form (or documenting that 1000 refers to pre-escape length).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@shortcuts/drive/drive_add_comment.go` around lines 562 - 568, Validate the
comment length against the escaped text instead of the raw input: call
escapeCommentText(input.Text) first, then check utf8.RuneCountInString on the
escaped result and return output.ErrValidation("--content element #%d text
exceeds 1000 characters", index) if that exceeds 1000; update the code around
the replyElements append (where escapeCommentText and input.Text are used) so
the same escaped value is appended to replyElements to avoid double-escaping or
inconsistent checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@shortcuts/drive/drive_add_comment.go`:
- Around line 562-568: Validate the comment length against the escaped text
instead of the raw input: call escapeCommentText(input.Text) first, then check
utf8.RuneCountInString on the escaped result and return
output.ErrValidation("--content element #%d text exceeds 1000 characters",
index) if that exceeds 1000; update the code around the replyElements append
(where escapeCommentText and input.Text are used) so the same escaped value is
appended to replyElements to avoid double-escaping or inconsistent checks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f84382a2-b712-4b12-a478-6fc7d0d01f8a

📥 Commits

Reviewing files that changed from the base of the PR and between c7ced37 and d81456d.

📒 Files selected for processing (4)

• shortcuts/drive/drive_add_comment.go
• shortcuts/drive/drive_add_comment_test.go
• skills/lark-drive/SKILL.md
• skills/lark-drive/references/lark-drive-add-comment.md

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.38%. Comparing base (81d22c6) to head (d81456d).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #632      +/-   ##
==========================================
+ Coverage   60.20%   60.38%   +0.18%     
==========================================
  Files         407      408       +1     
  Lines       43340    43417      +77     
==========================================
+ Hits        26091    26216     +125     
+ Misses      15221    15159      -62     
- Partials     2028     2042      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@d81456d9c1850edd7e0084a166f2b411041c75fa

🧩 Skill update

npx skills add larksuite/cli#fix/drive-comment-escape-angle-brackets -y -g