Fix CLI crash when user input contains Spectre markup characters (#12919)

* Initial plan

* Fix CLI markup escaping in prompts to prevent crashes with special characters

Co-authored-by: mitchdenny <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: mitchdenny <[email protected]>

Author: Copilot

src/Aspire.Cli/Commands/NewCommand.cs

@@ -243,18 +243,22 @@ static string FormatPackageLabel((NuGetPackage Package, PackageChannel Channel)
 
     public virtual async Task<string> PromptForOutputPath(string path, CancellationToken cancellationToken)
     {
+        // Escape markup characters in the path to prevent Spectre.Console from trying to parse them as markup
+        // when displaying it as the default value in the prompt
         return await interactionService.PromptForStringAsync(
             NewCommandStrings.EnterTheOutputPath,
-            defaultValue: path,
+            defaultValue: path.EscapeMarkup(),
             cancellationToken: cancellationToken
             );
     }
 
     public virtual async Task<string> PromptForProjectNameAsync(string defaultName, CancellationToken cancellationToken)
     {
+        // Escape markup characters in the default name to prevent Spectre.Console from trying to parse them as markup
+        // when displaying it as the default value in the prompt
         return await interactionService.PromptForStringAsync(
             NewCommandStrings.EnterTheProjectName,
-            defaultValue: defaultName,
+            defaultValue: defaultName.EscapeMarkup(),
             validator: name => ProjectNameValidator.IsProjectNameValid(name)
                 ? ValidationResult.Success()
                 : ValidationResult.Error(NewCommandStrings.InvalidProjectName),

src/Aspire.Cli/Commands/PipelineCommandBase.cs

@@ -769,13 +769,13 @@ private async Task HandlePromptActivityAsync(PublishingActivity activity, IAppHo
         {
             InputType.Text => await InteractionService.PromptForStringAsync(
                 promptText,
-                defaultValue: input.Value,
+                defaultValue: input.Value?.EscapeMarkup(),
                 required: input.Required,
                 cancellationToken: cancellationToken),
 
             InputType.SecretText => await InteractionService.PromptForStringAsync(
                 promptText,
-                defaultValue: input.Value,
+                defaultValue: input.Value?.EscapeMarkup(),
                 isSecret: true,
                 required: input.Required,
                 cancellationToken: cancellationToken),
@@ -786,15 +786,15 @@ private async Task HandlePromptActivityAsync(PublishingActivity activity, IAppHo
 
             InputType.Number => await HandleNumberInputAsync(input, promptText, cancellationToken),
 
-            _ => await InteractionService.PromptForStringAsync(promptText, defaultValue: input.Value, required: input.Required, cancellationToken: cancellationToken)
+            _ => await InteractionService.PromptForStringAsync(promptText, defaultValue: input.Value?.EscapeMarkup(), required: input.Required, cancellationToken: cancellationToken)
         };
     }
 
     private async Task<string?> HandleSelectInputAsync(PublishingPromptInput input, string promptText, CancellationToken cancellationToken)
     {
         if (input.Options is null || input.Options.Count == 0)
         {
-            return await InteractionService.PromptForStringAsync(promptText, defaultValue: input.Value, required: input.Required, cancellationToken: cancellationToken);
+            return await InteractionService.PromptForStringAsync(promptText, defaultValue: input.Value?.EscapeMarkup(), required: input.Required, cancellationToken: cancellationToken);
         }
 
         // If AllowCustomChoice is enabled then add an "Other" option to the list.
@@ -816,7 +816,7 @@ private async Task HandlePromptActivityAsync(PublishingActivity activity, IAppHo
 
         if (value == CustomChoiceValue)
         {
-            return await InteractionService.PromptForStringAsync(promptText, defaultValue: input.Value, required: input.Required, cancellationToken: cancellationToken);
+            return await InteractionService.PromptForStringAsync(promptText, defaultValue: input.Value?.EscapeMarkup(), required: input.Required, cancellationToken: cancellationToken);
         }
 
         AnsiConsole.MarkupLine($"{promptText} {displayText.EscapeMarkup()}");
@@ -838,7 +838,7 @@ static ValidationResult Validator(string value)
 
         return await InteractionService.PromptForStringAsync(
             promptText,
-            defaultValue: input.Value,
+            defaultValue: input.Value?.EscapeMarkup(),
             validator: Validator,
             required: input.Required,
             cancellationToken: cancellationToken);

src/Aspire.Cli/Projects/ProjectUpdater.cs

@@ -108,7 +108,7 @@ public async Task<ProjectUpdateResult> UpdateProjectAsync(FileInfo projectFile,
 
             var selectedPathForNewNuGetConfigFile = await interactionService.PromptForStringAsync(
                 promptText: UpdateCommandStrings.WhichDirectoryNuGetConfigPrompt,
-                defaultValue: recommendedNuGetConfigFileDirectory,
+                defaultValue: recommendedNuGetConfigFileDirectory.EscapeMarkup(),
                 validator: null,
                 isSecret: false,
                 required: true,

src/Aspire.Cli/Templating/DotNetTemplateFactory.cs

@@ -13,6 +13,7 @@
 using Aspire.Cli.Utils;
 using NuGetPackage = Aspire.Shared.NuGetPackageCli;
 using Semver;
+using Spectre.Console;
 
 namespace Aspire.Cli.Templating;
 
@@ -448,7 +449,7 @@ private async Task<TemplateResult> ApplyTemplateAsync(CallbackTemplate template,
             // working directory, create one in the newly created project's output directory.
             await PromptToCreateOrUpdateNuGetConfigAsync(selectedTemplateDetails.Channel, outputPath, cancellationToken);
 
-            interactionService.DisplaySuccess(string.Format(CultureInfo.CurrentCulture, TemplatingStrings.ProjectCreatedSuccessfully, outputPath));
+            interactionService.DisplaySuccess(string.Format(CultureInfo.CurrentCulture, TemplatingStrings.ProjectCreatedSuccessfully, outputPath.EscapeMarkup()));
 
             return new TemplateResult(ExitCodeConstants.Success, outputPath);
         }

tests/Aspire.Cli.Tests/Commands/NewCommandTests.cs

@@ -578,6 +578,76 @@ public async Task NewCommandPromptsForTemplateVersionBeforeTemplateOptions()
                 $"Template version should be prompted before template options. Order: {string.Join(", ", operationOrder)}");
         }
     }
+
+    [Fact]
+    public async Task NewCommandEscapesMarkupInProjectNameAndOutputPath()
+    {
+        // This test validates that project names containing Spectre markup characters
+        // (like '[' and ']') are properly escaped when displayed as default values in prompts.
+        // This prevents crashes when the markup parser encounters malformed markup.
+        
+        var projectNameWithMarkup = "[27;5;13~";  // Example of input that could crash the markup parser
+        var capturedProjectNameDefault = string.Empty;
+        var capturedOutputPathDefault = string.Empty;
+
+        using var workspace = TemporaryWorkspace.Create(outputHelper);
+        var services = CliTestHelper.CreateServiceCollection(workspace, outputHelper, options =>
+        {
+            options.NewCommandPrompterFactory = (sp) =>
+            {
+                var interactionService = sp.GetRequiredService<IInteractionService>();
+                var prompter = new TestNewCommandPrompter(interactionService);
+
+                // Simulate user entering a project name with markup characters
+                prompter.PromptForProjectNameCallback = (defaultName) =>
+                {
+                    capturedProjectNameDefault = defaultName;
+                    return projectNameWithMarkup;
+                };
+
+                // Capture what default value is passed for the output path
+                // The path passed to this callback is the unescaped version
+                prompter.PromptForOutputPathCallback = (path) =>
+                {
+                    capturedOutputPathDefault = path;
+                    // Return the path as-is - the escaping is handled internally by PromptForOutputPath
+                    return path;
+                };
+
+                return prompter;
+            };
+
+            options.DotNetCliRunnerFactory = (sp) =>
+            {
+                var runner = new TestDotNetCliRunner();
+                runner.SearchPackagesAsyncCallback = (dir, query, prerelease, take, skip, nugetSource, useCache, options, cancellationToken) =>
+                {
+                    var package = new NuGetPackage()
+                    {
+                        Id = "Aspire.ProjectTemplates",
+                        Source = "nuget",
+                        Version = "9.2.0"
+                    };
+
+                    return (0, new NuGetPackage[] { package });
+                };
+
+                return runner;
+            };
+        });
+        var provider = services.BuildServiceProvider();
+
+        var command = provider.GetRequiredService<RootCommand>();
+        var result = command.Parse("new aspire-starter --use-redis-cache --test-framework None");
+
+        var exitCode = await result.InvokeAsync().WaitAsync(CliTestConstants.DefaultTimeout);
+        Assert.Equal(0, exitCode);
+
+        // Verify that the default output path was derived from the project name with markup characters
+        // The path parameter passed to the callback contains the unescaped markup characters
+        var expectedPath = $"./[27;5;13~";
+        Assert.Equal(expectedPath, capturedOutputPathDefault);
+    }
 }
 
 internal sealed class TestNewCommandPrompter(IInteractionService interactionService) : NewCommandPrompter(interactionService)