Add escape_html() function to prevent HTML injection in Telegram
parse_mode=HTML messages. Apply escaping to event titles inserted
into <a> tags in send_to_telegram().
- Add escape_html() using stdlib html.escape()
- Escape match event titles (line 648) and non-match titles (line 676)
- Add TestHtmlInjection with 2 tests proving fix:
- <script> tags escaped as <script>
- & ampersands escaped as &
- Fixes HIGH severity: titles from Polymarket API were inserted
without escaping, allowing malformed HTML in Telegram messages
Extract the nested send() function into a module-level
send_telegram_message(bot_token, chat_id, text, timeout=10)
function. This enables unit testing without hitting the real
Telegram API.
Changes:
- Add send_telegram_message() at module level in TELEGRAM section
- Replace nested send() with thin wrapper that calls
send_telegram_message()
- Update argparse --telegram help text to use TELEGRAM_BOT_TOKEN
- Add tests/test_browse.py with 8 unit tests covering:
- Success case (returns message_id)
- API error (RuntimeError)
- Invalid token (HTTPError 404)
- Rate limit (HTTPError 429)
- Network error (URLError)
- Timeout (URLError)
- Custom timeout parameter
- HTML parse_mode in request
Ref: #4
Replace curl subprocess with urllib.request to prevent token leakage via
ps aux / /proc/*/cmdline. Token now stays in process memory only.
Changes:
- Remove subprocess import, add urllib.parse.urlencode and urllib.request
- Replace curl subprocess call with urlopen(Request(...))
- Change env var BOT_TOKEN -> TELEGRAM_BOT_TOKEN (clearer naming)
- Raise RuntimeError on missing env vars, API errors, or network errors
- Add 10s timeout to urlopen
Fixes#4
Browse tradeable Polymarket events by game category.
Supports Dota 2, Counter Strike, League of Legends, Valorant, NBA, NFL, UFC, Tennis.
Features WIB timezone, compact 6-line format, exponential backoff rate limiting.
