diff --git a/app/lib/tasks/telegram_bot_task.rb b/app/lib/tasks/telegram_bot_task.rb
index 54ed378d..7f672e99 100644
--- a/app/lib/tasks/telegram_bot_task.rb
+++ b/app/lib/tasks/telegram_bot_task.rb
@@ -125,7 +125,7 @@ module Tasks
chat_id: chat_id,
message_id: response_message.message_id,
text: result_text,
- parse_mode: "Markdown",
+ parse_mode: "HTML",
)
# Record total request time
@@ -386,9 +386,10 @@ module Tasks
external_url = post.external_url_for_view
if (title = post.title) && external_url
- response += " - [#{post.to_param} - #{title}](#{external_url})"
+ response +=
+ " - #{post.to_param} - #{html_escape(title)}"
elsif external_url
- response += " - [#{post.to_param}](#{external_url})"
+ response += " - #{post.to_param}"
else
response += " - #{post.to_param}"
end
@@ -396,9 +397,10 @@ module Tasks
if post.respond_to?(:creator) && (creator = post.send(:creator))
url = creator.external_url_for_view
if url
- response += " by [#{creator.name_for_view}](#{url})"
+ response +=
+ " by #{html_escape(creator.name_for_view)}"
else
- response += " by #{creator.name_for_view}"
+ response += " by #{html_escape(creator.name_for_view)}"
end
end
response += "\n"
@@ -407,6 +409,17 @@ module Tasks
response
end
+ sig { params(text: String).returns(String) }
+ def html_escape(text)
+ # Only escape characters that are explicitly required by Telegram Bot API
+ # All <, > and & symbols that are not part of a tag or HTML entity must be replaced
+ # API supports only these named HTML entities: <, >, & and "
+ text
+ .gsub("&", "&") # Ampersand (must be first to avoid double-escaping)
+ .gsub("<", "<") # Less than
+ .gsub(">", ">") # Greater than
+ end
+
# Extract image file information from Telegram message
sig do
params(message: Telegram::Bot::Types::Message).returns(