Fix #5: HTML injection in Telegram messages #20

Merged

shoko merged 1 commits from fix/issue-5-html-injection-telegram into master

2026-03-25 13:13:52 +01:00

Author	SHA1	Message	Date
shoko	d0534aedbf	Fix #5 : HTML injection in Telegram messages Add escape_html() function to prevent HTML injection in Telegram parse_mode=HTML messages. Apply escaping to event titles inserted into <a> tags in send_to_telegram(). - Add escape_html() using stdlib html.escape() - Escape match event titles (line 648) and non-match titles (line 676) - Add TestHtmlInjection with 2 tests proving fix: - <script> tags escaped as <script> - & ampersands escaped as & - Fixes HIGH severity: titles from Polymarket API were inserted without escaping, allowing malformed HTML in Telegram messages	2026-03-25 11:42:42 +00:00

Author

SHA1

Message

Date

shoko

d0534aedbf

Fix #5 : HTML injection in Telegram messages

Add escape_html() function to prevent HTML injection in Telegram
parse_mode=HTML messages. Apply escaping to event titles inserted
into <a> tags in send_to_telegram().

- Add escape_html() using stdlib html.escape()
- Escape match event titles (line 648) and non-match titles (line 676)
- Add TestHtmlInjection with 2 tests proving fix:
  - <script> tags escaped as &lt;script&gt;
  - & ampersands escaped as &amp;
- Fixes HIGH severity: titles from Polymarket API were inserted
  without escaping, allowing malformed HTML in Telegram messages

2026-03-25 11:42:42 +00:00

Fix #5: HTML injection in Telegram messages #20

1 Commits