From 96b8fe472ce2600906237ebc120e9c99983bc4d5 Mon Sep 17 00:00:00 2001
From: Aleksei Sidorenko <88515338+rydve@users.noreply.github.com>
Date: Wed, 4 Mar 2026 13:35:24 +0300
Subject: [PATCH] Fix: escape HTML characters in tgbot start command (#3883)

---
 web/service/tgbot.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/service/tgbot.go b/web/service/tgbot.go
index 3ff80b40..6bb335b9 100644
--- a/web/service/tgbot.go
+++ b/web/service/tgbot.go
@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"html"
 	"io"
 	"math/big"
 	"net"
@@ -651,7 +652,7 @@ func (t *Tgbot) answerCommand(message *telego.Message, chatId int64, isAdmin boo
 		msg += t.I18nBot("tgbot.commands.help")
 		msg += t.I18nBot("tgbot.commands.pleaseChoose")
 	case "start":
-		msg += t.I18nBot("tgbot.commands.start", "Firstname=="+message.From.FirstName)
+		msg += t.I18nBot("tgbot.commands.start", "Firstname=="+html.EscapeString(message.From.FirstName))
 		if isAdmin {
 			msg += t.I18nBot("tgbot.commands.welcome", "Hostname=="+hostname)
 		}