Bug: HTML in update-issue body gets escaped/mangled
Description
When an agent uses update-issue with a body containing certain inline HTML (e.g. <span> with attributes), the angle brackets are escaped or replaced in the rendered output. The same HTML set manually via the GitHub web UI renders correctly.
Note: <br> appears to pass through fine — the issue is specifically with tags that have attributes, such as <span title="...">.
Expected behavior
GitHub Flavored Markdown supports a subset of HTML tags (<span>, <abbr>, title attributes, etc.). HTML included in an update-issue body should be passed through to the GitHub API as-is, matching what a human would produce by editing the issue manually.
Actual behavior
The angle brackets in HTML tags with attributes are being escaped/replaced. For example, a body containing:
prod: <span title="2026-02-18 16:10 MT">2 days ago</span>
...is rendered in the issue as:
prod: (span title="2026-02-18 16:10 MT")2 days ago(/span)
Steps to reproduce
- Configure a workflow with
update-issue: / body: and operation: replace
- Have the agent output a body string containing
<span title="...">text</span>
- Observe the rendered issue body — HTML tags with attributes are escaped
Use case
Using <span title="..."> to embed full timestamps as hover tooltips on human-readable relative dates (e.g. "2 days ago") in issue bodies that serve as status dashboards. This pattern works fine when editing manually but is broken when the agent writes the same content via update-issue.
Environment
- gh-aw version:
0.47.1
- Operation type:
replace
- Agent:
coplit
- Model:
claude-sonnet-4-6
Notes
This appears to be related to the input sanitization layer in safe-outputs. The sanitization may be intentionally stripping HTML as a security measure, but it creates a gap between what humans can write via the UI and what agents can write via update-issue. If full HTML passthrough isn't desirable, it would be helpful to at minimum allow a documented allowlist of safe tags and attributes that GitHub itself already allows in rendered Markdown (e.g. <span>, <abbr>, title, class).
Bug: HTML in
update-issuebody gets escaped/mangledDescription
When an agent uses
update-issuewith a body containing certain inline HTML (e.g.<span>with attributes), the angle brackets are escaped or replaced in the rendered output. The same HTML set manually via the GitHub web UI renders correctly.Note:
<br>appears to pass through fine — the issue is specifically with tags that have attributes, such as<span title="...">.Expected behavior
GitHub Flavored Markdown supports a subset of HTML tags (
<span>,<abbr>,titleattributes, etc.). HTML included in anupdate-issuebody should be passed through to the GitHub API as-is, matching what a human would produce by editing the issue manually.Actual behavior
The angle brackets in HTML tags with attributes are being escaped/replaced. For example, a body containing:
...is rendered in the issue as:
Steps to reproduce
update-issue:/body:andoperation: replace<span title="...">text</span>Use case
Using
<span title="...">to embed full timestamps as hover tooltips on human-readable relative dates (e.g. "2 days ago") in issue bodies that serve as status dashboards. This pattern works fine when editing manually but is broken when the agent writes the same content viaupdate-issue.Environment
0.47.1replacecoplitclaude-sonnet-4-6Notes
This appears to be related to the input sanitization layer in safe-outputs. The sanitization may be intentionally stripping HTML as a security measure, but it creates a gap between what humans can write via the UI and what agents can write via
update-issue. If full HTML passthrough isn't desirable, it would be helpful to at minimum allow a documented allowlist of safe tags and attributes that GitHub itself already allows in rendered Markdown (e.g.<span>,<abbr>,title,class).