fix(advisor): harden review comment location escaping

Author: cv

test/pr-review-advisor.test.ts

@@ -1205,6 +1205,52 @@ diff --git a/test/example.test.ts b/test/example.test.ts
     expect(comment).not.toContain("check </details>");
   });
 
+  it("keeps hostile file locations inside checklist and table fields", () => {
+    const result = normalizeReviewResult(
+      validResult({
+        findings: [
+          {
+            severity: "blocker",
+            category: "correctness",
+            file: "src/a|b.ts",
+            line: 7,
+            title: "Pipe in path",
+            description: "Location should not add a table cell.",
+          },
+          {
+            severity: "warning",
+            category: "correctness",
+            file: "src/a\nb.ts",
+            line: 8,
+            title: "Newline in path",
+            description: "Location should stay on one rendered line.",
+          },
+          {
+            severity: "suggestion",
+            category: "correctness",
+            file: "src/a`b.ts",
+            line: 9,
+            title: "Backtick in path",
+            description: "Location should not break a Markdown code span.",
+          },
+        ],
+      }),
+      metadata(),
+    );
+    const comment = buildComment({ summary: renderSummary(result), result });
+    const indexRows = comment.split("\n").filter((line) => /^\| `PRA-/.test(line));
+
+    expect(indexRows).toHaveLength(3);
+    expect(indexRows[0]).toContain("<code>src/a&#124;b.ts:7</code>");
+    expect(indexRows[1]).toContain("<code>src/a b.ts:8</code>");
+    expect(indexRows[2]).toContain("<code>src/a`b.ts:9</code>");
+    for (const row of indexRows) expect(row.match(/\|/g)).toHaveLength(6);
+    expect(comment).toContain("- [ ] `PRA-1` Fix: Pipe in path in <code>src/a&#124;b.ts:7</code>");
+    expect(comment).toContain("- **Location:** <code>src/a b.ts:8</code>");
+    expect(comment).not.toContain("src/a\nb.ts");
+    expect(comment).not.toContain("`src/a`b.ts:9`");
+  });
+
   it("escapes advisor finding text before rendering sticky comments", () => {
     const result = normalizeReviewResult(
       validResult({

tools/pr-review-advisor/comment.mts

@@ -602,19 +602,21 @@ function formatFindingLocation(finding: Finding): string {
 function formatInlineLocation(finding: Finding): string {
   if (!finding.file) return "";
   const line = Number.isInteger(finding.line) && Number(finding.line) > 0 ? `:${finding.line}` : "";
-  return `\`${escapeCodeSpan(`${finding.file}${line}`)}\``;
+  return `<code>${escapeLocationHtml(`${finding.file}${line}`)}</code>`;
 }
 
 function formatTableLocation(finding: Finding): string {
   return formatInlineLocation(finding) || "—";
 }
 
-function escapeCodeSpan(value: string): string {
+function escapeLocationHtml(value: string): string {
   return value
+    .replace(/\s+/g, " ")
+    .trim()
     .replaceAll("&", "&amp;")
-    .replaceAll("`", "\\`")
     .replaceAll("<", "&lt;")
     .replaceAll(">", "&gt;")
+    .replaceAll("|", "&#124;")
     .replaceAll("@", "&#64;");
 }