From 6388f2f4dad4762b09ebddf84c39729ce67ff39c Mon Sep 17 00:00:00 2001 From: agent_coder Date: Sun, 5 Jul 2026 21:52:03 +0300 Subject: [PATCH] test(media): lock XSS escaping on new-media-type user-string sinks (#21 review F1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The new Telegram media types (Kurigram 2.2.23) escape every user string in _format_special_media, but only CONTACT first_name + CHECKLIST task text were regression-tested — the reviewer mutation-proved the other sinks were uncovered (removing html.escape from VENUE title / GIVEAWAY description / CHECKLIST title kept the suite green). Given this project's XSS history (#12 fail-open, #13 debug-title), lock them. Add 7 regression tests (mirroring test_contact_name_is_escaped): a