fix: preserve fenced code blocks during URL sanitization to prevent suggestion block corruption

[Copilot]

Safe-output URL sanitization was applied to the full content string, including inside fenced code blocks. This corrupted suggestion block payloads — GitHub offers the sanitized text verbatim to commit, so redacted link targets become part of the patch.

Changes

• sanitize_content_core.cjs: Wrap sanitizeUrlProtocols and sanitizeUrlDomains in applyToNonCodeRegions, consistent with all other sanitization transforms (XML comments, link titles, XML tags, template delimiters)

// Before — applies to entire string including fenced blocks
sanitized = sanitizeUrlProtocols(sanitized);
sanitized = sanitizeUrlDomains(sanitized, allowedDomains);

// After — skips fenced code blocks and inline code spans
sanitized = applyToNonCodeRegions(sanitized, sanitizeUrlProtocols);
sanitized = applyToNonCodeRegions(sanitized, s => sanitizeUrlDomains(s, allowedDomains));

• sanitize_content.test.cjs: Add four regression tests — protocol-level and domain-level sanitization, for generic fenced blocks and suggestion blocks specifically — verifying that block content is preserved and prose outside blocks is still sanitized

[Copilot]

Pull request overview

This PR fixes safe-output URL sanitization so it does not rewrite content inside fenced code blocks (including GitHub ```suggestion fences), preventing suggestion patch payload corruption while continuing to sanitize URLs in prose.

Changes:

• Apply sanitizeUrlProtocols and sanitizeUrlDomains via applyToNonCodeRegions so fenced/inline code is preserved verbatim.
• Add regression tests covering protocol and domain sanitization behavior for generic fenced blocks and suggestion blocks.
• Adjust a header comment in the setup CLI install script.

Show a summary per file

File	Description
actions/setup/js/sanitize_content_core.cjs	Routes URL protocol/domain sanitization through applyToNonCodeRegions to avoid rewriting fenced code content.
actions/setup/js/sanitize_content.test.cjs	Adds regression tests ensuring code fences (including suggestion) are preserved while prose is still sanitized.
actions/setup-cli/install.sh	Updates a sync note comment (currently becomes self-referential; see review comment).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[pelikhan]

@lpcox review please

[github-actions]

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · ◷

[github-actions]

Please fix the self-referential sync note in actions/setup-cli/install.sh and push a follow-up commit.

Generated by 👨‍🍳 PR Sous Chef · ◷

[github-actions]

@copilot review all comments and address unresolved review feedback.

Please summarize the remaining blockers and next steps so this branch can move forward.

Generated by 👨‍🍳 PR Sous Chef · ◷

[github-actions]

@copilot review all comments and address unresolved review feedback.
Please confirm the fenced-code preservation test covers suggestion blocks.

Generated by 👨‍🍳 PR Sous Chef · ◷

[github-actions]

\n@copilot review all comments and address unresolved review feedback.\n\npr-sous-chef: fix the self-referential install.sh comment and reply to the unresolved review comment.

Generated by 👨‍🍳 PR Sous Chef · ◷

[github-actions]

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · 71.6 AIC · ⌖ 1 AIC · ⊞ 17.2K · ◷