diff --git a/mautrix_telegram/formatter/from_telegram.py b/mautrix_telegram/formatter/from_telegram.py
index ddb93ac2..ccbe82e7 100644
--- a/mautrix_telegram/formatter/from_telegram.py
+++ b/mautrix_telegram/formatter/from_telegram.py
@@ -69,27 +69,30 @@ async def _add_forward_header(source, text: str, html: Optional[str],
user = u.User.get_by_tgid(TelegramID(fwd_from.from_id))
if user:
fwd_from_text = user.displayname or user.mxid
- fwd_from_html = f"{fwd_from_text}"
+ fwd_from_html = (f""
+ f"{escape(fwd_from_text)}")
if not fwd_from_text:
puppet = pu.Puppet.get(TelegramID(fwd_from.from_id), create=False)
if puppet and puppet.displayname:
fwd_from_text = puppet.displayname or puppet.mxid
- fwd_from_html = f"{fwd_from_text}"
+ fwd_from_html = (f""
+ f"{escape(fwd_from_text)}")
if not fwd_from_text:
user = await source.client.get_entity(PeerUser(fwd_from.from_id))
if user:
fwd_from_text = pu.Puppet.get_displayname(user, False)
- fwd_from_html = f"{fwd_from_text}"
+ fwd_from_html = f"{escape(fwd_from_text)}"
else:
portal = po.Portal.get_by_tgid(TelegramID(fwd_from.channel_id))
if portal:
fwd_from_text = portal.title
if portal.alias:
- fwd_from_html = f"{fwd_from_text}"
+ fwd_from_html = (f""
+ f"{escape(fwd_from_text)}")
else:
- fwd_from_html = f"{fwd_from_text}"
+ fwd_from_html = f"{escape(fwd_from_text)}"
else:
channel = await source.client.get_entity(PeerChannel(fwd_from.channel_id))
if channel:
@@ -141,7 +144,7 @@ async def _add_reply_header(source: "AbstractUser", text: str, html: str, evt: M
puppet = pu.Puppet.get_by_mxid(r_sender, create=False)
r_displayname = puppet.displayname if puppet else r_sender
- r_sender_link = f"{r_displayname}"
+ r_sender_link = f"{escape(r_displayname)}"
except (ValueError, KeyError, MatrixRequestError):
r_sender_link = "unknown user"
r_displayname = "unknown user"