AICA GitHub: Security Flaw Exposes Telegram Notification System to HTML Injection via Unescaped Variables

A critical security vulnerability has been identified in the AICA project's Telegram notification system, allowing for potential HTML injection attacks. The flaw resides in the `telegram-send-notification` function, where user-provided or database-stored `message_variables` are inserted into message templates without proper HTML escaping before being rendered with `parseMode: 'HTML'`. This creates a direct template-injection vector, enabling an attacker or malicious data to inject arbitrary HTML code into messages sent via the platform's notification pipeline.

The issue was flagged during a code review of PR #1370, a refactoring effort to consolidate the `/digest` endpoint into `/status`. Reviewer Panto explicitly warned that the current implementation "allows an attacker or malicious DB value to inject HTML into the message." The vulnerability is pre-existing and was not introduced by the refactoring PR; it was already present in the original `telegram-send-notification` function. The core problem is that the template renderer substitutes `{{var}}` placeholders with raw variable values, which are then passed directly to Telegram's HTML parser.

This oversight exposes the notification system to significant risk. Without sanitization, variables containing characters like `<`, `>`, `&`, `"`, or `'` could be interpreted as HTML tags or entities, potentially leading to cross-site scripting (XSS) attacks within the Telegram client interface or manipulation of message content. The reviewer's recommended fix is to either HTML-encode all variable values before injection or switch the parse mode to MarkdownV2 with appropriate escaping. The finding underscores a persistent security hygiene failure in a core communication component, leaving automated alerts and status updates vulnerable to data integrity breaches and malicious payload delivery.