Problem
The "sanitize": true flag on the add_comment body field strips < and > characters from the entire comment body, including content inside markdown fenced code blocks (```lang ... ```). This produces garbled output for any language that uses angle brackets in its syntax.
Example
The Repo Assist workflow posted this comment on dotnet/fsharp#6929 with the following code block:
[(Measure)] type rad
[(Literal)]
let pi = 3.14(rad)
The agent almost certainly generated valid F# with angle brackets:
[<Measure>] type rad
[<Literal>]
let pi = 3.14<rad>
But the sanitizer stripped every < and >, turning attributes ([<Measure>]) into [(Measure)] and generic syntax (3.14<rad>) into 3.14(rad). The result is syntactically invalid code posted to a public issue — which a maintainer then called out.
Scope
This affects every comment posted by agentic workflows for languages that use angle brackets: F# ([<Attr>], generics), C# (List<int>), C++ (template<T>), Rust (Vec<i32>), TypeScript (Array<string>), HTML, XML, etc.
Where
The sanitize flag is set in the workflow lock file schema, which comes from this workflow source:
{
"required": true,
"type": "string",
"sanitize": true,
"maxLength": 65000
}The sanitizer implementation lives in the agentics framework itself (not the per-repo config).
Expected behavior
Angle brackets inside fenced code blocks should be preserved. Either:
- Parse markdown structure and skip sanitization inside fenced code blocks, or
- HTML-encode
</> to </> instead of stripping them (GitHub renders these correctly in markdown), or
- Only strip angle brackets that look like actual HTML tags (e.g.
<script>, <img)
Reproduction
Any agentic workflow with "sanitize": true on comment bodies that posts code containing < or > inside a fenced code block will have those characters silently removed.
Problem
The
"sanitize": trueflag on theadd_commentbody field strips<and>characters from the entire comment body, including content inside markdown fenced code blocks (```lang ... ```). This produces garbled output for any language that uses angle brackets in its syntax.Example
The Repo Assist workflow posted this comment on dotnet/fsharp#6929 with the following code block:
The agent almost certainly generated valid F# with angle brackets:
But the sanitizer stripped every
<and>, turning attributes ([<Measure>]) into[(Measure)]and generic syntax (3.14<rad>) into3.14(rad). The result is syntactically invalid code posted to a public issue — which a maintainer then called out.Scope
This affects every comment posted by agentic workflows for languages that use angle brackets: F# (
[<Attr>], generics), C# (List<int>), C++ (template<T>), Rust (Vec<i32>), TypeScript (Array<string>), HTML, XML, etc.Where
The sanitize flag is set in the workflow lock file schema, which comes from this workflow source:
{ "required": true, "type": "string", "sanitize": true, "maxLength": 65000 }The sanitizer implementation lives in the agentics framework itself (not the per-repo config).
Expected behavior
Angle brackets inside fenced code blocks should be preserved. Either:
</>to</>instead of stripping them (GitHub renders these correctly in markdown), or<script>,<img)Reproduction
Any agentic workflow with
"sanitize": trueon comment bodies that posts code containing<or>inside a fenced code block will have those characters silently removed.