fix: escape URL in markdown rendering and harden test assertions

- Escape verificationUriComplete with escapeMarkdownInline() before
  passing to renderInlineMarkdown() to prevent underscores in URLs
  (e.g., self-hosted instances) from being interpreted as emphasis
- Set SENTRY_PLAIN_OUTPUT=1 in upgrade test mock context so table
  assertions use raw markdown pipes instead of Unicode box-drawing
  characters that only appear in TTY mode
- Add test for URL escaping with underscore-containing URLs

Author: BYK

src/lib/interactive-login.ts

@@ -12,7 +12,10 @@ import { setupCopyKeyListener } from "./clipboard.js";
 import { getDbPath } from "./db/index.js";
 import { setUserInfo } from "./db/user.js";
 import { formatError } from "./errors.js";
-import { renderInlineMarkdown } from "./formatters/markdown.js";
+import {
+  escapeMarkdownInline,
+  renderInlineMarkdown,
+} from "./formatters/markdown.js";
 import { logger } from "./logger.js";
 import { completeOAuthFlow, performDeviceFlow } from "./oauth.js";
 import { generateQRCode } from "./qrcode.js";
@@ -61,7 +64,11 @@ export function buildDeviceFlowDisplay(
   const lines: string[] = [];
 
   lines.push("");
-  lines.push(renderInlineMarkdown(`  URL:  ${verificationUriComplete}`));
+  lines.push(
+    renderInlineMarkdown(
+      `  URL:  ${escapeMarkdownInline(verificationUriComplete)}`
+    )
+  );
   lines.push(renderInlineMarkdown(`  Code: \`${userCode}\``));
   lines.push("");
 

test/commands/cli/upgrade.test.ts

@@ -63,6 +63,11 @@ function createMockContext(
     ...overrides.env,
   };
 
+  // Force plain output so formatUpgradeResult renders raw markdown tables
+  // (ASCII pipes) instead of Unicode box-drawing characters in TTY mode.
+  const origPlain = process.env.SENTRY_PLAIN_OUTPUT;
+  process.env.SENTRY_PLAIN_OUTPUT = "1";
+
   // Capture consola output (routed to process.stderr)
   const origWrite = process.stderr.write.bind(process.stderr);
   process.stderr.write = ((chunk: string | Uint8Array) => {
@@ -123,6 +128,11 @@ function createMockContext(
     errors,
     restore: () => {
       process.stderr.write = origWrite;
+      if (origPlain === undefined) {
+        delete process.env.SENTRY_PLAIN_OUTPUT;
+      } else {
+        process.env.SENTRY_PLAIN_OUTPUT = origPlain;
+      }
     },
   };
 }

test/lib/interactive-login.test.ts

@@ -30,7 +30,24 @@ describe("buildDeviceFlowDisplay", () => {
   test("includes complete URL with embedded code", () => {
     const lines = buildDeviceFlowDisplay(CODE, URL, true, false);
     const joined = lines.join("\n");
-    expect(joined).toContain(URL);
+    // URL is escaped for markdown safety (underscores become \_)
+    expect(joined).toContain("sentry.io/auth/device/");
+    expect(joined).toContain("ABCD-EFGH");
+  });
+
+  test("escapes markdown characters in URLs", () => {
+    const urlWithUnderscores =
+      "https://self_hosted.example.com/auth/device/?user_code=AB_CD";
+    const lines = buildDeviceFlowDisplay(
+      "AB_CD",
+      urlWithUnderscores,
+      true,
+      false
+    );
+    const joined = lines.join("\n");
+    // Underscores should be escaped so they aren't interpreted as emphasis
+    expect(joined).toContain("self\\_hosted");
+    expect(joined).not.toContain("<em>");
   });
 
   test("includes user code as inline code span", () => {