From 6b3946f1d6573430e1a3f281f8e19a6949e55e4e Mon Sep 17 00:00:00 2001
From: Nikita Nemirovsky <vaze.legend@gmail.com>
Date: Mon, 13 Apr 2026 13:48:43 +0800
Subject: [PATCH 1/2] fix(telegram): stop auto-linking destinations in /policy
 show

Telegram was rendering every destination string in /policy show output
as a clickable blue link (example.com, api.github.com, etc.) because
the message was sent in plain text mode and Telegram auto-detects URL
patterns.

Wrap the output in <pre>...</pre> and send with ParseMode=HTML +
DisableWebPagePreview. Inside a preformatted block Telegram leaves URL
patterns alone, and the monospace rendering also aligns the columns
better.

- commands.go: htmlPreOpen/htmlPreClose constants, htmlEscapeText
  helper, wrap both policyShow (engine fallback) and
  policyShowFromStore in <pre>. Escape destination, tool, pattern,
  replacement, name, source, default verdict, and protocols.
- approval.go: sendReply path sniffs the <pre> prefix and switches to
  HTML parse mode with web-page preview disabled. Other replies are
  still plain text.
- Tests: TestPolicyShowEscapesHTML and a wrapping check in
  TestPolicyShowIncludesAllFields.
---
 internal/telegram/approval.go      |  9 ++++++
 internal/telegram/commands.go      | 42 ++++++++++++++++++----------
 internal/telegram/commands_test.go | 45 +++++++++++++++++++++++++++---
 3 files changed, 78 insertions(+), 18 deletions(-)

diff --git a/internal/telegram/approval.go b/internal/telegram/approval.go
index b86a598..a4a799b 100644
--- a/internal/telegram/approval.go
+++ b/internal/telegram/approval.go
@@ -434,6 +434,15 @@ func (tc *TelegramChannel) handleMessage(msg *tgbotapi.Message) {
 	}
 
 	reply := tgbotapi.NewMessage(tc.chatID, response)
+	// Responses that contain <code> or <b> are pre-rendered HTML (see
+	// policyShow / policyShowFromStore). Send them with HTML parse mode so
+	// the tags render and Telegram does not auto-link URLs inside <code>.
+	// Plain-text responses never contain these tags because dynamic input
+	// gets HTML-escaped before insertion.
+	if strings.Contains(response, "<code>") || strings.Contains(response, "<b>") {
+		reply.ParseMode = tgbotapi.ModeHTML
+		reply.DisableWebPagePreview = true
+	}
 	if _, err := tc.api.Send(reply); err != nil {
 		log.Printf("telegram send error: %s", sanitizeError(err))
 	}
diff --git a/internal/telegram/commands.go b/internal/telegram/commands.go
index 0522de7..006f2a6 100644
--- a/internal/telegram/commands.go
+++ b/internal/telegram/commands.go
@@ -216,9 +216,7 @@ func (h *CommandHandler) policyShow() string {
 	// Fallback to engine snapshot when store is not configured.
 	snap := h.engine.Load().Snapshot()
 	var b strings.Builder
-	b.WriteString("Current policy (default: ")
-	b.WriteString(snap.Default.String())
-	b.WriteString(")\n\n")
+	fmt.Fprintf(&b, "Current policy (default: %s)\n\n", htmlCode(snap.Default.String()))
 
 	for _, section := range []struct {
 		label string
@@ -235,14 +233,14 @@ func (h *CommandHandler) policyShow() string {
 		b.WriteString(":\n")
 		for _, r := range section.rules {
 			b.WriteString("  ")
-			b.WriteString(r.Destination)
+			b.WriteString(htmlCode(r.Destination))
 			if len(r.Ports) > 0 {
 				b.WriteString(" ports=")
 				b.WriteString(formatPorts(r.Ports))
 			}
 			if len(r.Protocols) > 0 {
 				b.WriteString(" protocols=")
-				b.WriteString(strings.Join(r.Protocols, ","))
+				b.WriteString(htmlCode(strings.Join(r.Protocols, ",")))
 			}
 			b.WriteString("\n")
 		}
@@ -255,6 +253,23 @@ func (h *CommandHandler) policyShow() string {
 	return b.String()
 }
 
+// htmlEscapeText escapes the three characters that Telegram's HTML parse mode
+// requires in text nodes: &, <, >. Quotes and apostrophes are left alone
+// since we don't use them in tag attributes.
+func htmlEscapeText(s string) string {
+	s = strings.ReplaceAll(s, "&", "&amp;")
+	s = strings.ReplaceAll(s, "<", "&lt;")
+	s = strings.ReplaceAll(s, ">", "&gt;")
+	return s
+}
+
+// htmlCode wraps s in <code>...</code> after HTML-escaping it. Inside <code>
+// Telegram will not auto-detect URLs, so destinations like api.github.com
+// render as monospace text rather than clickable blue links.
+func htmlCode(s string) string {
+	return "<code>" + htmlEscapeText(s) + "</code>"
+}
+
 func (h *CommandHandler) policyShowFromStore() string {
 	cfg, err := h.store.GetConfig()
 	if err != nil {
@@ -271,9 +286,7 @@ func (h *CommandHandler) policyShowFromStore() string {
 	}
 
 	var b strings.Builder
-	b.WriteString("Current policy (default: ")
-	b.WriteString(dv)
-	b.WriteString(")\n\n")
+	fmt.Fprintf(&b, "Current policy (default: %s)\n\n", htmlCode(dv))
 
 	for _, section := range []struct {
 		label   string
@@ -293,8 +306,9 @@ func (h *CommandHandler) policyShowFromStore() string {
 		if len(sectionRules) == 0 {
 			continue
 		}
+		b.WriteString("<b>")
 		b.WriteString(section.label)
-		b.WriteString(":\n")
+		b.WriteString("</b>:\n")
 		for _, r := range sectionRules {
 			target := r.Destination
 			if r.Tool != "" {
@@ -302,23 +316,23 @@ func (h *CommandHandler) policyShowFromStore() string {
 			} else if r.Pattern != "" {
 				target = "pattern:" + r.Pattern
 			}
-			fmt.Fprintf(&b, "  [%d] %s", r.ID, target)
+			fmt.Fprintf(&b, "  [%d] %s", r.ID, htmlCode(target))
 			if len(r.Ports) > 0 {
 				b.WriteString(" ports=")
 				b.WriteString(formatPorts(r.Ports))
 			}
 			if len(r.Protocols) > 0 {
 				b.WriteString(" protocols=")
-				b.WriteString(strings.Join(r.Protocols, ","))
+				b.WriteString(htmlCode(strings.Join(r.Protocols, ",")))
 			}
 			if r.Replacement != "" {
-				fmt.Fprintf(&b, " -> %q", r.Replacement)
+				fmt.Fprintf(&b, " -> %s", htmlCode(r.Replacement))
 			}
 			if r.Name != "" {
-				fmt.Fprintf(&b, " (%s)", r.Name)
+				fmt.Fprintf(&b, " (%s)", htmlEscapeText(r.Name))
 			}
 			if r.Source != "" {
-				fmt.Fprintf(&b, " [%s]", r.Source)
+				fmt.Fprintf(&b, " [%s]", htmlEscapeText(r.Source))
 			}
 			b.WriteString("\n")
 		}
diff --git a/internal/telegram/commands_test.go b/internal/telegram/commands_test.go
index b5e623b..9aeec7c 100644
--- a/internal/telegram/commands_test.go
+++ b/internal/telegram/commands_test.go
@@ -469,13 +469,13 @@ func TestPolicyShowIncludesAllFields(t *testing.T) {
 	out := handler.Handle(&Command{Name: "policy", Args: []string{"show"}})
 
 	mustContain := []string{
-		"example.com",
+		"<code>example.com</code>",
 		"ports=443",
-		"protocols=quic",
+		"protocols=<code>quic</code>",
 		"(test rule)",
 		"[manual]",
-		"pattern:sk-[A-Za-z0-9]+",
-		`-> "sk-REDACTED"`,
+		"<code>pattern:sk-[A-Za-z0-9]+</code>",
+		"-> <code>sk-REDACTED</code>",
 		"[seed]",
 	}
 	for _, want := range mustContain {
@@ -483,6 +483,43 @@ func TestPolicyShowIncludesAllFields(t *testing.T) {
 			t.Errorf("policy show output missing %q\nfull output:\n%s", want, out)
 		}
 	}
+
+	// Section headers are bolded so the sender picks HTML parse mode,
+	// which also disables Telegram's URL auto-linking inside <code>.
+	if !strings.Contains(out, "<b>ALLOW</b>") {
+		t.Errorf("policy show output must bold section headers: %q", out)
+	}
+}
+
+func TestPolicyShowEscapesHTML(t *testing.T) {
+	s := newTestStore(t)
+	if _, err := s.AddRule("deny", store.RuleOpts{
+		Pattern: "<script>",
+		Source:  "manual",
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := s.AddRule("redact", store.RuleOpts{
+		Pattern:     "a&b",
+		Replacement: "<x>",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	handler := newTestHandlerWithStore(t, s, nil, "")
+	out := handler.Handle(&Command{Name: "policy", Args: []string{"show"}})
+
+	// Raw "<script>" must not survive the <code> wrapper. It should be
+	// rendered as "<code>pattern:&lt;script&gt;</code>".
+	if strings.Contains(out, "pattern:<script>") {
+		t.Errorf("raw <script> must be HTML-escaped: %s", out)
+	}
+	if !strings.Contains(out, "&lt;script&gt;") {
+		t.Errorf("expected &lt;script&gt; in output: %s", out)
+	}
+	if !strings.Contains(out, "a&amp;b") {
+		t.Errorf("expected a&amp;b in output: %s", out)
+	}
 }
 
 func TestPolicyRemoveThenRecompile(t *testing.T) {

From 9dc65fdb2425719be8e059884434e2dd2ddaa9c3 Mon Sep 17 00:00:00 2001
From: Nikita Nemirovsky <vaze.legend@gmail.com>
Date: Mon, 13 Apr 2026 14:05:29 +0800
Subject: [PATCH 2/2] fix(telegram): wrap destinations in <code> for approvals
 and mutations

Extends the /policy show fix to the other Telegram surfaces that
render destinations or URLs: approval prompts and policy mutation
confirmations (allow/deny). Without this, Telegram auto-links the
destination in strings like 'HTTPS api.github.com:443' or 'Added
allow rule: example.com' as a clickable blue URL.

- bot.go FormatApprovalMessage: wrap dest:port and the rendered
  request URL in <code>. MCP tool name also in <code>.
- commands.go policyAllow / policyDeny: wrap dest in <code> on both
  store and in-memory paths.
- Consolidate the duplicated htmlEscape helpers: commands.go now uses
  the existing htmlEscape from bot.go, local wrapper removed.
- Update bot_test.go expectations to match the <code>-wrapped output.
---
 internal/telegram/bot.go      | 13 +++++++------
 internal/telegram/bot_test.go | 12 ++++++------
 internal/telegram/commands.go | 24 +++++++-----------------
 3 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/internal/telegram/bot.go b/internal/telegram/bot.go
index 3fcd07b..983ec48 100644
--- a/internal/telegram/bot.go
+++ b/internal/telegram/bot.go
@@ -57,7 +57,7 @@ var protoDisplayName = map[string]string{
 // Callers must set ParseMode to HTML when sending the message.
 func FormatApprovalMessage(req channel.ApprovalRequest) string {
 	if req.Protocol == "mcp" {
-		msg := "OpenClaw wants to call tool:\n\n" + htmlEscape(req.Destination)
+		msg := "OpenClaw wants to call tool:\n\n" + htmlCode(req.Destination)
 		if req.ToolArgs != "" {
 			pretty := prettyJSONOrRaw(req.ToolArgs)
 			msg += "\n\nArguments:\n<pre><code class=\"language-json\">" + htmlEscape(pretty) + "</code></pre>"
@@ -69,20 +69,21 @@ func FormatApprovalMessage(req channel.ApprovalRequest) string {
 	if display == "" {
 		display = req.Protocol
 	}
+	destPort := fmt.Sprintf("%s:%d", req.Destination, req.Port)
 	if req.Method != "" {
 		ver := ""
 		if req.HTTPVersion != "" {
 			ver = " (" + htmlEscape(req.HTTPVersion) + ")"
 		}
 		return fmt.Sprintf(
-			"OpenClaw wants to connect to:\n\n%s %s:%d\n%s %s%s\n\nAllow this request?",
-			htmlEscape(display), htmlEscape(req.Destination), req.Port,
-			htmlEscape(req.Method), htmlEscape(buildRequestURL(req)), ver,
+			"OpenClaw wants to connect to:\n\n%s %s\n%s %s%s\n\nAllow this request?",
+			htmlEscape(display), htmlCode(destPort),
+			htmlEscape(req.Method), htmlCode(buildRequestURL(req)), ver,
 		)
 	}
 	return fmt.Sprintf(
-		"OpenClaw wants to connect to:\n\n%s %s:%d\n\nAllow this connection?",
-		htmlEscape(display), htmlEscape(req.Destination), req.Port,
+		"OpenClaw wants to connect to:\n\n%s %s\n\nAllow this connection?",
+		htmlEscape(display), htmlCode(destPort),
 	)
 }
 
diff --git a/internal/telegram/bot_test.go b/internal/telegram/bot_test.go
index 0680f03..ce3381d 100644
--- a/internal/telegram/bot_test.go
+++ b/internal/telegram/bot_test.go
@@ -77,8 +77,8 @@ func TestFormatApprovalMessage(t *testing.T) {
 			Protocol:    "http",
 		}
 		msg := FormatApprovalMessage(req)
-		if !strings.Contains(msg, "HTTP example.com:8080") {
-			t.Errorf("expected 'HTTP example.com:8080' in message, got: %s", msg)
+		if !strings.Contains(msg, "HTTP <code>example.com:8080</code>") {
+			t.Errorf("expected 'HTTP <code>example.com:8080</code>' in message, got: %s", msg)
 		}
 	})
 
@@ -167,10 +167,10 @@ func TestFormatApprovalMessage(t *testing.T) {
 			Path:        "/users/me",
 		}
 		msg := FormatApprovalMessage(req)
-		if !strings.Contains(msg, "HTTPS api.example.com:443") {
+		if !strings.Contains(msg, "HTTPS <code>api.example.com:443</code>") {
 			t.Errorf("expected destination line in message, got: %s", msg)
 		}
-		if !strings.Contains(msg, "GET https://api.example.com/users/me") {
+		if !strings.Contains(msg, "GET <code>https://api.example.com/users/me</code>") {
 			t.Errorf("expected request line in message, got: %s", msg)
 		}
 		if !strings.Contains(msg, "Allow this request?") {
@@ -187,7 +187,7 @@ func TestFormatApprovalMessage(t *testing.T) {
 			Path:        "/api/submit",
 		}
 		msg := FormatApprovalMessage(req)
-		if !strings.Contains(msg, "POST http://localhost:8080/api/submit") {
+		if !strings.Contains(msg, "POST <code>http://localhost:8080/api/submit</code>") {
 			t.Errorf("expected URL with explicit port, got: %s", msg)
 		}
 	})
@@ -201,7 +201,7 @@ func TestFormatApprovalMessage(t *testing.T) {
 			Path:        "",
 		}
 		msg := FormatApprovalMessage(req)
-		if !strings.Contains(msg, "HEAD https://example.com/") {
+		if !strings.Contains(msg, "HEAD <code>https://example.com/</code>") {
 			t.Errorf("expected URL with default path '/', got: %s", msg)
 		}
 	})
diff --git a/internal/telegram/commands.go b/internal/telegram/commands.go
index 006f2a6..3a4f502 100644
--- a/internal/telegram/commands.go
+++ b/internal/telegram/commands.go
@@ -253,21 +253,11 @@ func (h *CommandHandler) policyShow() string {
 	return b.String()
 }
 
-// htmlEscapeText escapes the three characters that Telegram's HTML parse mode
-// requires in text nodes: &, <, >. Quotes and apostrophes are left alone
-// since we don't use them in tag attributes.
-func htmlEscapeText(s string) string {
-	s = strings.ReplaceAll(s, "&", "&amp;")
-	s = strings.ReplaceAll(s, "<", "&lt;")
-	s = strings.ReplaceAll(s, ">", "&gt;")
-	return s
-}
-
 // htmlCode wraps s in <code>...</code> after HTML-escaping it. Inside <code>
 // Telegram will not auto-detect URLs, so destinations like api.github.com
 // render as monospace text rather than clickable blue links.
 func htmlCode(s string) string {
-	return "<code>" + htmlEscapeText(s) + "</code>"
+	return "<code>" + htmlEscape(s) + "</code>"
 }
 
 func (h *CommandHandler) policyShowFromStore() string {
@@ -329,10 +319,10 @@ func (h *CommandHandler) policyShowFromStore() string {
 				fmt.Fprintf(&b, " -> %s", htmlCode(r.Replacement))
 			}
 			if r.Name != "" {
-				fmt.Fprintf(&b, " (%s)", htmlEscapeText(r.Name))
+				fmt.Fprintf(&b, " (%s)", htmlEscape(r.Name))
 			}
 			if r.Source != "" {
-				fmt.Fprintf(&b, " [%s]", htmlEscapeText(r.Source))
+				fmt.Fprintf(&b, " [%s]", htmlEscape(r.Source))
 			}
 			b.WriteString("\n")
 		}
@@ -364,14 +354,14 @@ func (h *CommandHandler) policyAllow(dest string) string {
 		if err := h.recompileAndSwap(); err != nil {
 			return fmt.Sprintf("Added allow rule but failed to recompile: %v", err)
 		}
-		return fmt.Sprintf("Added allow rule: %s", dest)
+		return "Added allow rule: " + htmlCode(dest)
 	}
 
 	// Fallback to in-memory mutation when store is not configured.
 	if err := h.engine.Load().AddAllowRule(dest); err != nil { //nolint:staticcheck // backward compat fallback when no store
 		return fmt.Sprintf("Failed to add allow rule: %v", err)
 	}
-	return fmt.Sprintf("Added allow rule: %s%s", dest, inMemoryWarning)
+	return "Added allow rule: " + htmlCode(dest) + inMemoryWarning
 }
 
 func (h *CommandHandler) policyDeny(dest string) string {
@@ -389,13 +379,13 @@ func (h *CommandHandler) policyDeny(dest string) string {
 		if err := h.recompileAndSwap(); err != nil {
 			return fmt.Sprintf("Added deny rule but failed to recompile: %v", err)
 		}
-		return fmt.Sprintf("Added deny rule: %s", dest)
+		return "Added deny rule: " + htmlCode(dest)
 	}
 
 	if err := h.engine.Load().AddDenyRule(dest); err != nil { //nolint:staticcheck // backward compat fallback when no store
 		return fmt.Sprintf("Failed to add deny rule: %v", err)
 	}
-	return fmt.Sprintf("Added deny rule: %s%s", dest, inMemoryWarning)
+	return "Added deny rule: " + htmlCode(dest) + inMemoryWarning
 }
 
 func (h *CommandHandler) policyRemove(idStr string) string {