fix: strip raw HTML <img> and <p> tags in sanitize_markdown#73
fix: strip raw HTML <img> and <p> tags in sanitize_markdown#73besologic wants to merge 5 commits intoplanningcenter:mainfrom
Conversation
GitHub PR bodies can contain raw HTML tags (e.g. screenshot embeds as
<img> tags) that pass through sanitize_markdown unchanged. When sent to
Asana's html_notes field, unsupported tags cause a 400 Bad Request.
- Strip <img> tags entirely — Asana only supports Asana-hosted images
with data-asana-gid attributes; external GitHub screenshot URLs are
always rejected
- Strip <p> open tags and convert </p> to newlines — <p> is not in
Asana's supported tag list (use literal newlines instead)
- Add a full describe('sanitize_markdown') test block covering the new
behaviour and existing transforms
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the Handlebars sanitize_markdown helper to better sanitize GitHub PR bodies for Asana compatibility, specifically preventing unsupported raw HTML from being sent to Asana’s html_notes (which can cause 400 Bad Request).
Changes:
- Strip raw HTML
<img>tags fromsanitize_markdownoutput. - Strip
<p>open tags and convert</p>close tags into newlines to preserve paragraph breaks. - Add a dedicated
describe('sanitize_markdown')test block covering the new behavior and existing sanitization behaviors.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/expression/helpers.ts |
Extends sanitize_markdown with additional HTML stripping/replacement for Asana compatibility. |
__tests__/expression/helpers.test.ts |
Adds test coverage for sanitize_markdown, including raw HTML <img> and <p> handling. |
Review concern (blocking): the new regex .replace(/<p[^>]*>/gi, "") will also match and remove tags that start with <p (e.g. <pre>, <param>, <picture>, etc.), which can corrupt content and potentially leave behind unmatched closing tags (e.g. </pre>). This should be tightened (e.g., using a word boundary like <p\b...>), and the <img...> regex should similarly use <img\b...> to avoid matching tag names like <imgur>.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
<p[^>]*> would also match <pre>, <picture>, <param> etc. <img[^>]*> could match <imgur> or similar tag names. Use \b after the tag name to match only the exact tag. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR improves the sanitize_markdown Handlebars helper so GitHub PR bodies containing raw HTML (notably <img> and <p>) don’t cause Asana html_notes / notes validation failures.
Changes:
- Strip raw HTML
<img>tags during markdown sanitization. - Strip
<p>opening tags and convert</p>to newlines to preserve paragraph breaks without unsupported tags. - Add a dedicated
describe('sanitize_markdown')test suite covering the new behavior and existing sanitization behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/expression/helpers.ts |
Extends sanitize_markdown to remove <img> tags and handle <p> tags in an Asana-compatible way. |
__tests__/expression/helpers.test.ts |
Adds coverage for sanitize_markdown, including raw HTML image/paragraph cases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Tighten </p> regex to allow optional whitespace before > (</p\s*>) - Hoist `raw` triple-stache helper to describe-block scope to avoid duplication - Add explicit \n assertion to </p> conversion test - Add test for </p > with whitespace before closing angle bracket Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The \b word boundaries defended against fictional tags like <imgur> that no browser, markdown parser, or GitHub PR body would produce. Remove them along with the <imgur> and <pre> tests to keep things simple. The </p\s*> whitespace fix and newline assertion remain. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the Handlebars sanitize_markdown helper to better sanitize GitHub PR bodies for Asana by removing raw HTML that Asana rejects (notably <img> and <p>), and adds unit tests to lock in the expected behavior.
Changes:
- Strip raw HTML
<img>tags duringsanitize_markdown. - Strip
<p>opening tags and convert</p>to newlines to preserve paragraph breaks without unsupported tags. - Add a dedicated
sanitize_markdowntest suite covering the new sanitization behavior and existing transformations.
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/expression/helpers.ts |
Extends sanitize_markdown to remove raw <img> and <p> tags for Asana compatibility. |
dist/index.js |
Updates bundled output to include the new sanitization logic, but also includes substantial unrelated bundle churn. |
__tests__/expression/helpers.test.ts |
Adds coverage for sanitize_markdown, including <img>/<p> handling and newline normalization. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Problem
GitHub PR bodies can contain raw HTML — most commonly
<img>tags for embedded screenshots (pasted or dragged in).sanitize_markdownstrips markdown-syntax images () but passes raw HTML<img>tags through unchanged.When the resulting string is sent to Asana's
html_notesfield, the API returns400 Bad Requestbecause:<img>for Asana-hosted attachments withdata-asana-gidattributes — external GitHub CDN URLs are always rejected<p>is not in Asana's supported tag list at all (literal newlines are the correct alternative)Fix
<img>tags entirely — there's no meaningful fallback for external images<p>open tags and convert</p>to newlines — preserves paragraph breaks without the unsupported tagReference for Asana's empirically verified supported tag list:
<strong>,<em>,<u>,<s>,<h1>,<h2>,<ul>,<ol>,<li>,<blockquote>,<code>,<pre>,<hr/>,<a href>,<table>,<tr>,<td>, and<img>(Asana-hosted only).Tests
Added a full
describe('sanitize_markdown')block — there were no existing tests for this helper.Reproducing the original bug
Apply the
create-asana-tasklabel to any PR whose body contains a GitHub screenshot embed like:The workflow will fail with
Asana API error: 400 Bad Request.I verified that removing the image allows the workflow to run completely: https://github.com/planningcenter/people/pull/14325