Sanitize item in invalid format branch to prevent Markdown injection

Copilot · kenyonj · web-flow · commit c6f2ac51096f · 2026-05-04T14:19:27.000Z
Agent-Logs-Url: https://github.com/github/explore/sessions/f0f46334-8894-40b6-bcc2-87dba102c83d Co-authored-by: kenyonj <4008677+kenyonj@users.noreply.github.com>
diff --git a/.github/workflows/explore-triage-commenter.yml b/.github/workflows/explore-triage-commenter.yml
@@ -131,7 +131,8 @@ jobs:
 
                 for (const item of items) {
                   if (!/^[\w.-]+\/[\w.-]+$/.test(item)) {
-                    lines.push(`| \`${item}\` | – | – | – | invalid format |`);
+                    const safeItem = item.replace(/`/g, "'").replace(/\\/g, '\\\\').replace(/\|/g, '\\|');
+                    lines.push(`| \`${safeItem}\` | – | – | – | invalid format |`);
                     continue;
                   }
                   const [owner, repo] = item.split('/');

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,8 @@ jobs:`
`131`	`131`
`132`	`132`	`for (const item of items) {`
`133`	`133`	`if (!/^[\w.-]+\/[\w.-]+$/.test(item)) {`
`134`		- lines.push(`\| \`${item}\` \| – \| – \| – \| invalid format \|`);
	`134`	+ const safeItem = item.replace(/`/g, "'").replace(/\\/g, '\\\\').replace(/\\|/g, '\\\|');
	`135`	+ lines.push(`\| \`${safeItem}\` \| – \| – \| – \| invalid format \|`);
`135`	`136`	`continue;`
`136`	`137`	`}`
`137`	`138`	`const [owner, repo] = item.split('/');`