hotfix(sender/telegram): escape-html-specials-in-tg-sender (#1066)

moira-alert · Aug 5, 2024 · ebd4d4d · ebd4d4d
1 parent 381cab9
commit ebd4d4d
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/senders/telegram/init.go b/senders/telegram/init.go
@@ -3,6 +3,7 @@ package telegram
 import (
 	"errors"
 	"fmt"
+	"html"
 	"strings"
 	"time"
 
@@ -136,23 +137,23 @@ func telegramLockKey(contactType string) string {
 }
 
 func urlFormatter(triggerURI, triggerName string) string {
-	return fmt.Sprintf("<a href=\"%s\">%s</a>", triggerURI, triggerName)
+	return fmt.Sprintf("<a href=\"%s\">%s</a>", triggerURI, html.EscapeString(triggerName))
 }
 
 func emptyDescriptionFormatter(trigger moira.TriggerData) string {
 	return ""
 }
 
 func boldFormatter(str string) string {
-	return fmt.Sprintf("<b>%s</b>", str)
+	return fmt.Sprintf("<b>%s</b>", html.EscapeString(str))
 }
 
 func eventStringFormatter(event moira.NotificationEvent, loc *time.Location) string {
 	return fmt.Sprintf(
 		"%s: <code>%s</code> = %s (%s to %s)",
 		event.FormatTimestamp(loc, moira.DefaultTimeFormat),
-		event.Metric,
-		event.GetMetricsValues(moira.DefaultNotificationSettings),
+		html.EscapeString(event.Metric),
+		html.EscapeString(event.GetMetricsValues(moira.DefaultNotificationSettings)),
 		event.OldState,
 		event.State)
 }