[SECURITY] HIGH: HTML injection in Telegram messages #5

New Issue

Closed

opened 2026-03-25 10:38:06 +01:00 by shoko · 0 comments

shoko commented 2026-03-25 10:38:06 +01:00

Owner

Copy Link

Severity: HIGH

Event titles from Polymarket API are inserted directly into Telegram messages with parse_mode=HTML without escaping. Characters like <, >, & are not escaped.

Location

scripts/browse.py lines 614-661 (send_to_telegram())

Attack Scenario

1. Polymarket (or attacker who compromises data) includes title like <script>alert('XSS')</script>
2. The bot sends this to Telegram
3. Telegram renders the HTML (limited XSS risk but malformed HTML can cause issues)

Recommended Fix

import html

def escape_html(text):
    return (text
        .replace("&", "&")
        .replace("<", "&lt;")
        .replace(">", "&gt;")
        .replace('"', "&quot;"))

title_escaped = escape_html(title_clean)
lines.append(f"<b>{i}.</b> <a href=\"{url}\">{title_escaped}</a>")

Reference

See reviews/2026-03-25.md Section 6.3

## Severity: HIGH Event titles from Polymarket API are inserted directly into Telegram messages with `parse_mode=HTML` without escaping. Characters like `<`, `>`, `&` are not escaped. ## Location `scripts/browse.py` lines 614-661 (`send_to_telegram()`) ## Attack Scenario 1. Polymarket (or attacker who compromises data) includes title like `<script>alert('XSS')</script>` 2. The bot sends this to Telegram 3. Telegram renders the HTML (limited XSS risk but malformed HTML can cause issues) ## Recommended Fix ```python import html def escape_html(text): return (text .replace("&", "&amp;") .replace("<", "&lt;") .replace(">", "&gt;") .replace('"', "&quot;")) title_escaped = escape_html(title_clean) lines.append(f"<b>{i}.</b> <a href=\"{url}\">{title_escaped}</a>") ``` ## Reference See `reviews/2026-03-25.md` Section 6.3

shoko added the highsecurity labels 2026-03-25 10:38:06 +01:00

shoko referenced this issue 2026-03-25 10:40:34 +01:00

[SECURITY] polymarket-browse: Security Audit Tracking (2026-03-25) #3

shoko referenced this issue from a commit 2026-03-25 12:42:51 +01:00

Fix #5: HTML injection in Telegram messages

shoko referenced a pull request that will close this issue 2026-03-25 12:43:02 +01:00

Fix #5: HTML injection in Telegram messages #20

shoko closed this issue 2026-03-25 13:13:52 +01:00

shoko referenced this issue from a commit 2026-03-25 13:13:54 +01:00

Merge pull request 'Fix #5: HTML injection in Telegram messages' (#20) from fix/issue-5-html-injection-telegram into master

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/live-time-display

feat/parallel-fetch-cache

fix/line-lengths

feat/add-type-hints

fix/issue-14-refactor-browse

hermes/hermes-e8a6100e

polymarket-browse/v0.0.3

polymarket-browse/v0.0.2

Labels

Clear labels

approved

bug

Bug fix

critical

Critical severity - stop using until fixed

enhancement

Enhancement or feature

high

High severity - fix ASAP

in review

low

Low severity

medium

Medium severity

need adjustment

need clarification

need review

security

Security-related issues

No Label high security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

han shoko

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shoko/jujutsu-skills#5