Fix Spectre markup escaping bugs across CLI commands

[davidfowl]

Description

Fixes multiple Spectre Console markup escaping bugs across CLI commands that could cause crashes or garbled output when resource names, file paths, version strings, or other external data contain characters that Spectre interprets as markup (e.g., square brackets [], angle brackets <>).

Root cause: Several places in the CLI pass user/external data directly into AnsiConsole.MarkupLine() or SelectionPrompt.UseConverter() without calling .EscapeMarkup() first. When that data contains [brackets], Spectre treats them as formatting directives, causing InvalidOperationException or corrupted output.

Changes:

• RunCommand: Escape resource names and endpoint URLs in the endpoints grid, and escape log file paths in error messages. Moved .EscapeMarkup() from exception messages (which feed into DisplayError, which already escapes) to log file paths (which feed into DisplayMessage, which does not).
• LogsCommand: Escape resource names in colorized log output.
• TelemetryLogsCommand / TelemetrySpansCommand: Escape resource names in telemetry output.
• ConsoleInteractionService: Escape choice text in PromptForSelectionAsync and PromptForSelectionsAsync converters. Escape version strings and capability names in DisplayIncompatibleVersionError and DisplayVersionUpdateNotification.

Fixes #13955

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
  • No
• Does the change require an update in our Aspire docs?
  • Yes
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14422

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14422"

[Copilot]

Pull request overview

Fixes multiple Spectre.Console markup-escaping issues in Aspire CLI output/prompting paths to prevent crashes or corrupted rendering when external data contains markup characters (notably [ / ]), aligning with the root cause described in #13955.

Changes:

• Escapes external data used in Spectre markup output across run, logs, and telemetry commands.
• Escapes choice display text in ConsoleInteractionService selection prompts and escapes version/capability strings in version-related messages.
• Adds tests covering markup escaping behavior for several interaction-service output paths and a publish prompting scenario.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tests/Aspire.Cli.Tests/Interaction/ConsoleInteractionServiceTests.cs	Adds tests validating escaping behavior for version/error/message output paths.
tests/Aspire.Cli.Tests/Commands/PublishCommandPromptingIntegrationTests.cs	Adds an integration test scenario involving bracketed choice labels (Azure subscription-like strings).
src/Aspire.Cli/Interaction/ConsoleInteractionService.cs	Escapes selection prompt converter output; escapes some version/capability values in markup output.
src/Aspire.Cli/Commands/TelemetrySpansCommand.cs	Escapes resource name in span output markup.
src/Aspire.Cli/Commands/TelemetryLogsCommand.cs	Escapes resource name in log output markup.
src/Aspire.Cli/Commands/RunCommand.cs	Escapes resource/endpoint display in endpoint grid; adjusts escaping responsibilities between DisplayError and DisplayMessage call sites.
src/Aspire.Cli/Commands/LogsCommand.cs	Escapes resource name in colorized log prefix.

[mitchdenny]

Looks good! The fix correctly moves escaping to the right boundary — caller-side for DisplayMessage (which passes through to MarkupLine), removed from DisplayError callers (which escapes internally). Tests are thorough and document the contract well.

One minor nit: cliInformationalVersion on line 193 of ConsoleInteractionService.cs is not escaped while the adjacent appHostHostingVersion and ex.RequiredCapability are — worth a quick fix for consistency.

[github-actions]

🎬 CLI E2E Test Recordings

The following terminal recordings are available for commit 8a56cbc:

Test	Recording
AgentCommands_AllHelpOutputs_AreCorrect	▶️ View Recording
AgentInitCommand_MigratesDeprecatedConfig	▶️ View Recording
Banner_DisplayedOnFirstRun	▶️ View Recording
Banner_DisplayedWithExplicitFlag	▶️ View Recording
CreateAndDeployToDockerCompose	▶️ View Recording
CreateAndDeployToDockerComposeInteractive	▶️ View Recording
CreateAndPublishToKubernetes	▶️ View Recording
CreateAndRunAspireStarterProject	▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle	▶️ View Recording
CreateAndRunJsReactProject	▶️ View Recording
CreateAndRunPythonReactProject	▶️ View Recording
CreateEmptyAppHostProject	▶️ View Recording
CreateStartAndStopAspireProject	▶️ View Recording
CreateTypeScriptAppHostWithViteApp	▶️ View Recording
DoctorCommand_DetectsDeprecatedAgentConfig	▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted	▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	▶️ View Recording
LogsCommandShowsResourceLogs	▶️ View Recording
PsCommandListsRunningAppHost	▶️ View Recording
ResourcesCommandShowsRunningResources	▶️ View Recording

---

_{📹 Recordings uploaded automatically from CI run #21855293083}