fix: escape filenames in markdown report #2141 (#2142)

ellieayla · web-flow · commit e06eb348a071 · 2026-03-08T16:23:50.000-04:00
* fix: escape pipe character in filename in markdown report #2141 Both underscore and pipe characters are valid in filenames and meaningful in markdown tables. Underscores were already escaped by the markdown report, using a simple string replacement, but pipe characters were not. * markdown report: escape most of string.punctuation. * feedback: text would be a better (and shorter!) name than input_value * Amend the get_report() helper function to have an explicit output_format argument No longer produce forward slash escaped underscore in test helper * test: all string.punctuation characters are escaped in markdown reports * I don't understand the slash replace behavior of get_report() --------- Co-authored-by: ellieayla <1447600+me@users.noreply.github.com>
diff --git a/coverage/report.py b/coverage/report.py
@@ -7,6 +7,7 @@
 
 import sys
 from collections.abc import Iterable
+from string import punctuation
 from typing import IO, TYPE_CHECKING, Any
 
 from coverage.exceptions import ConfigError, NoDataError
@@ -19,6 +20,15 @@
 if TYPE_CHECKING:
     from coverage import Coverage
 
+ESCAPE_PUNCTUATION_TABLE = "".maketrans(
+    {char: f"\\{char}" for char in punctuation if char not in ".,/-"}
+)
+
+
+def escape_markdown(text: str) -> str:
+    """Prefix all characters meaningful in markdown tables with backslashes."""
+    return text.translate(ESCAPE_PUNCTUATION_TABLE)
+
 
 class SummaryReporter:
     """A reporter for writing the summary report."""
@@ -126,8 +136,9 @@ def report_markdown(
         `end_lines` is a list of ending lines with information about skipped files.
 
         """
+
         # Prepare the formatting strings, header, and column sorting.
-        max_name = max((len(line[0].replace("_", "\\_")) for line in lines_values), default=0)
+        max_name = max((len(escape_markdown(line[0])) for line in lines_values), default=0)
         max_name = max(max_name, len("**TOTAL**")) + 1
         formats = dict(
             Name="| {:{name_len}}|",
@@ -160,7 +171,7 @@ def report_markdown(
             self.write_items(
                 (
                     formats[item].format(
-                        str(value).replace("_", "\\_"), name_len=max_name, n=max_n - 1
+                        escape_markdown(str(value)), name_len=max_name, n=max_n - 1
                     )
                     for item, value in zip(header, values)
                 )
diff --git a/tests/coveragetest.py b/tests/coveragetest.py
@@ -125,12 +125,17 @@ def start_import_stop(
             cov.stop()
         return mod
 
-    def get_report(self, cov: Coverage, squeeze: bool = True, **kwargs: Any) -> str:
+    def get_report(
+        self, cov: Coverage, squeeze: bool = True, output_format: str | None = None, **kwargs: Any
+    ) -> str:
         """Get the report from `cov`, and canonicalize it."""
         repout = io.StringIO()
         kwargs.setdefault("show_missing", False)
-        cov.report(file=repout, **kwargs)
-        report = repout.getvalue().replace("\\", "/")
+        cov.report(file=repout, output_format=output_format, **kwargs)
+        if output_format == "markdown":
+            report = repout.getvalue().replace("\\\\", "/")
+        else:
+            report = repout.getvalue().replace("\\", "/")
         print(report)  # When tests fail, it's helpful to see the output
         if squeeze:
             report = re.sub(r" +", " ", report)
diff --git a/tests/test_report.py b/tests/test_report.py
@@ -12,6 +12,7 @@
 import os.path
 import py_compile
 import re
+import string
 
 
 import pytest
@@ -891,6 +892,58 @@ def test_report_with_chdir(self) -> None:
         report = self.report_from_command("coverage report --format=markdown")
         assert self.last_line_squeezed(report) == "| **TOTAL** | **5** | **0** | **100%** |"
 
+    DISALLOWED_WINDOWS_FILENAME_CHARACTERS = r'\/:*?"<>|'
+
+    @pytest.mark.parametrize(
+        ("punctuation", "expected_characters", "escaped_punctuation"),
+        [
+            pytest.param(
+                # everything that's not covered by the other items
+                "!#$%&'()+,-.;=@[]^_`{}~",
+                set(string.punctuation) - set(DISALLOWED_WINDOWS_FILENAME_CHARACTERS),
+                r"\!\#\$\%\&\'\(\)\+,-.\;\=\@\[\]\^\_\`\{\}\~",
+                id="cross-platform-punctuation",
+            ),
+            pytest.param(
+                "\\",  # seperate only to make test failure messages easy to read
+                set("\\"),
+                "/",  # munged to forward slash by get_report
+                id="backslash-untouched",
+            ),
+            pytest.param(
+                "/",
+                set("/"),
+                "/",
+                id="forwardslash-untouched-posix-only",
+                marks=pytest.mark.skipif(env.WINDOWS, reason="Disallowed in Windows filenames."),
+            ),
+            pytest.param(
+                ':*?"<>|',
+                set(DISALLOWED_WINDOWS_FILENAME_CHARACTERS) - set("\\/"),
+                r"\:\*\?\"\<\>\|",
+                id="posix-only-punctuation",
+                marks=pytest.mark.skipif(env.WINDOWS, reason="Disallowed in Windows filenames."),
+            ),
+        ],
+    )
+    def test_markdown_escape_filename(
+        self, punctuation: str, expected_characters: set[str], escaped_punctuation: str
+    ) -> None:
+        """Make a horrible filename of punctuation, and ensure coverage report is escaped."""
+        self.make_file(f"horrible-{punctuation}-filename.py", "print(1)")
+        self.make_data_file(lines={f"horrible-{punctuation}-filename.py": [1]})
+
+        # make sure everything in the expected set of punctuation is here,
+        # and none have been dropped. Full diff on mismatch is readable.
+        assert expected_characters == set(punctuation)
+
+        cov = coverage.Coverage()
+        cov.load()
+        report = self.get_report(cov, output_format="markdown")
+
+        squeezed = self.squeezed_lines(report)
+        assert squeezed[2] == f"| horrible-{escaped_punctuation}-filename.py | 1 | 1 | 0% |"
+
     def test_bug_156_file_not_run_should_be_zero(self) -> None:
         # https://github.com/coveragepy/coveragepy/issues/156
         self.make_file(
@@ -1016,11 +1069,9 @@ def test_empty_files(self) -> None:
         assert "tests/modules/pkg1/__init__.py 1 0 0 0 100%" in report
         assert "tests/modules/pkg2/__init__.py 0 0 0 0 100%" in report
         report = self.get_report(cov, squeeze=False, output_format="markdown")
-        # get_report() escapes backslash so we expect forward slash escaped
-        # underscore
-        assert "tests/modules/pkg1//_/_init/_/_.py " in report
+        assert r"tests/modules/pkg1/\_\_init\_\_.py " in report
         assert "|        1 |        0 |        0 |        0 |     100% |" in report
-        assert "tests/modules/pkg2//_/_init/_/_.py " in report
+        assert r"tests/modules/pkg2/\_\_init\_\_.py " in report
         assert "|        0 |        0 |        0 |        0 |     100% |" in report
 
     def test_markdown_with_missing(self) -> None:
