Commit messages render markdown incorrectly in hovers

[eamodio]

Summary

Commit messages containing markdown formatting (inline code, bullet lists, etc.) render without formatting in blame hovers and tooltips. Special characters inside backtick code spans are escaped with visible backslashes (e.g., SavingsPlan\.compoundInterest), and bullet lists don't render as lists.

Related Issues

• Fixes Unwanted backslashes in monospace formatting of git commit messages #4228 — Unwanted backslashes in monospace formatting of git commit messages

Impact

• Users who write structured commit messages with inline code, bullet lists, or other markdown see corrupted or flat rendering in GitLens hovers
• Additionally hardens hover security by restricting trusted command links to an explicit allowlist and blocking image embeds to prevent tracking pixels — aligning with VS Code's built-in Git extension behavior

Validation

• Hover over a commit containing inline code spans (e.g., `ClassName.methodName`) — no backslashes before periods or colons
• Hover over a commit with bullet lists (* item or - item) — renders as a formatted list
• Verify autolinks (e.g., #1234, Jira prefixes) still resolve to clickable links
• Verify all hover command buttons (Inspect, Copy SHA, Open Changes, Explain, etc.) still work
• Verify image embeds in commit messages (![img](url)) are blocked
• Verify that arbitrary [text](command:...) links in commit messages do not execute

Risk

• Commit messages now render as markdown (matching GitHub/GitLab behavior) — intentional markdown syntax in messages will be interpreted rather than escaped
• Image embeds (![](url)) are blocked to prevent tracking pixels from untrusted commit messages
• Hover isTrusted is scoped to an explicit command allowlist instead of blanket true