Telegram bot Markdown injection vulnerability:
Telegram bot Markdown injection vulnerability: When interpolating user-supplied text into parse_mode=“Markdown” replies, characters like *, _, `, [ break the response or cause BadRequest errors. MUST escape via helper function before interpolation. Also: never use parse_mode=“Markdown” in error handlers — exception messages contain special chars. Use plain text for error replies. Fixed in /opt/infra/cios-notify/handlers/goals.py with _escape_md() helper.