Add escape_html() function to prevent HTML injection in Telegram
parse_mode=HTML messages. Apply escaping to event titles inserted
into <a> tags in send_to_telegram().
- Add escape_html() using stdlib html.escape()
- Escape match event titles (line 648) and non-match titles (line 676)
- Add TestHtmlInjection with 2 tests proving fix:
- <script> tags escaped as <script>
- & ampersands escaped as &
- Fixes HIGH severity: titles from Polymarket API were inserted
without escaping, allowing malformed HTML in Telegram messages
Extract the nested send() function into a module-level
send_telegram_message(bot_token, chat_id, text, timeout=10)
function. This enables unit testing without hitting the real
Telegram API.
Changes:
- Add send_telegram_message() at module level in TELEGRAM section
- Replace nested send() with thin wrapper that calls
send_telegram_message()
- Update argparse --telegram help text to use TELEGRAM_BOT_TOKEN
- Add tests/test_browse.py with 8 unit tests covering:
- Success case (returns message_id)
- API error (RuntimeError)
- Invalid token (HTTPError 404)
- Rate limit (HTTPError 429)
- Network error (URLError)
- Timeout (URLError)
- Custom timeout parameter
- HTML parse_mode in request
Ref: #4
