Escape untrusted strings in notifications (2.4.1)

CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.4.1] - 2026-06-13
+
+### Security
+
+- Escape untrusted strings before placing them in notification bodies. Geo data
+  from ipinfo.io (the `org`, `city`, `region`, and `timezone` fields) and GitHub
+  release-note content are now HTML-escaped in email and Telegram
+  (`parse_mode=HTML`) messages and markdown-escaped in Discord. This prevents
+  markup or link injection into the notification channels. For Telegram it also
+  fixes a case where a stray `<` or `&` in a field (for example the ISP `org`
+  string) made the Bot API reject the message with a 400 error, silently
+  dropping a real IP-change alert. Plain-text email and Apprise bodies were not
+  affected and are unchanged.
+
 ## [2.4.0] - 2026-06-13
 
 Supply-chain and provenance tooling. No application code changes; the image is

DOCKER_HUB_DESCRIPTION.md

@@ -16,6 +16,7 @@ aimed at homelabs and small servers on connections where the ISP changes your IP
 
 ## Recent releases
 
+- 2.4.1: security fix - escape untrusted geo/release-note strings in notifications.
 - 2.3.0: AWS Route53 DDNS provider (SigV4, no AWS SDK bundled).
 - 2.2.0: secrets from files (`<NAME>_FILE`), plus Trivy scanning, CycloneDX SBOM and Cosign keyless image signing.
 - 2.1.0: optional JSON logging (`LOG_FORMAT=json`) and adaptive backoff with jitter.
@@ -66,8 +67,8 @@ Operations
 
 | Architecture | Tags | Status |
 |--------------|------|--------|
-| x86-64 (AMD64) | `latest`, `2.4.0` | Supported |
-| ARM64 (aarch64) | `latest`, `2.4.0` | Supported |
+| x86-64 (AMD64) | `latest`, `2.4.1` | Supported |
+| ARM64 (aarch64) | `latest`, `2.4.1` | Supported |
 
 Docker pulls the correct image for your platform automatically. ARM64 covers
 Raspberry Pi 4 and newer, Apple Silicon, and AWS Graviton.
@@ -94,15 +95,15 @@ docker run -d \
   -e SERVER_NAME="My Server" \
   -v ./data:/data \
   -v ./logs:/logs \
-  noxied/wanwatcher:2.4.0
+  noxied/wanwatcher:2.4.1
 ```
 
 ### docker compose
 
 ```yaml
 services:
   wanwatcher:
-    image: noxied/wanwatcher:2.4.0
+    image: noxied/wanwatcher:2.4.1
     container_name: wanwatcher
     restart: unless-stopped
     environment:
@@ -344,7 +345,7 @@ docker buildx build \
 
 | Tag | Meaning |
 |-----|---------|
-| `2.4.0` | This exact release |
+| `2.4.1` | This exact release |
 | `2.0` | Latest 2.0.x patch |
 | `2` | Latest 2.x release |
 | `latest` | Latest stable release |
@@ -355,6 +356,7 @@ docker buildx build \
 
 | Version | Date | Highlights |
 |---------|------|------------|
+| 2.4.1 | 2026-06-13 | Security: escape untrusted strings in notifications |
 | 2.3.0 | 2026-06-13 | AWS Route53 DDNS provider |
 | 2.2.0 | 2026-06-13 | Secrets from files, Trivy/SBOM/Cosign supply-chain security |
 | 2.1.0 | 2026-06-13 | Optional JSON logging (LOG_FORMAT), adaptive backoff with jitter |

Dockerfile

@@ -2,10 +2,10 @@
 
 LABEL maintainer="noxied"
 LABEL description="WAN IP monitoring with notifications, DDNS updates and Home Assistant integration"
-LABEL version="2.4.0"
+LABEL version="2.4.1"
 LABEL org.opencontainers.image.title="WANwatcher"
 LABEL org.opencontainers.image.description="Monitor WAN IPv4/IPv6 addresses with notifications, DDNS and MQTT"
-LABEL org.opencontainers.image.version="2.4.0"
+LABEL org.opencontainers.image.version="2.4.1"
 LABEL org.opencontainers.image.authors="noxied"
 LABEL org.opencontainers.image.url="https://github.com/noxied/wanwatcher"
 LABEL org.opencontainers.image.source="https://github.com/noxied/wanwatcher"
@@ -26,7 +26,7 @@
     && mkdir -p /data /logs \
     && chown -R wanwatcher:wanwatcher /data /logs /app
 
 ENV DISCORD_ENABLED="false" \
     DISCORD_WEBHOOK_URL="" \
     DISCORD_AVATAR_URL="" \
     TELEGRAM_ENABLED="false" \

README.md

@@ -44,15 +44,15 @@ docker run -d \
   -e SERVER_NAME="My Server" \
   -v ./data:/data \
   -v ./logs:/logs \
-  noxied/wanwatcher:2.4.0
+  noxied/wanwatcher:2.4.1
 ```
 
 Or with compose:
 
 ```yaml
 services:
   wanwatcher:
-    image: noxied/wanwatcher:2.4.0
+    image: noxied/wanwatcher:2.4.1
     container_name: wanwatcher
     restart: unless-stopped
     environment:
@@ -214,7 +214,7 @@ Supported: `DISCORD_WEBHOOK_URL_FILE`, `TELEGRAM_BOT_TOKEN_FILE`,
 ```yaml
 services:
   wanwatcher:
-    image: noxied/wanwatcher:2.4.0
+    image: noxied/wanwatcher:2.4.1
     environment:
       DISCORD_ENABLED: "true"
       DISCORD_WEBHOOK_URL_FILE: /run/secrets/discord_webhook

SECURITY.md

@@ -42,7 +42,7 @@ Environment variables:
 
 ```bash
 export DISCORD_WEBHOOK_URL="your_webhook"
-docker run -e DISCORD_WEBHOOK_URL ... noxied/wanwatcher:2.4.0
+docker run -e DISCORD_WEBHOOK_URL ... noxied/wanwatcher:2.4.1
 ```
 
 A `.env` file (add it to `.gitignore`):
@@ -71,7 +71,7 @@ Published images are signed with Cosign using keyless signing. You can verify
 that an image came from this repository's CI before running it:
 
 ```bash
-cosign verify noxied/wanwatcher:2.4.0 \
+cosign verify noxied/wanwatcher:2.4.1 \
   --certificate-identity-regexp "https://github.com/noxied/wanwatcher/.*" \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com
 ```
@@ -105,7 +105,7 @@ Reasonable extras for the paranoid:
 ```yaml
 services:
   wanwatcher:
-    image: noxied/wanwatcher:2.4.0   # pin a version, avoid :latest
+    image: noxied/wanwatcher:2.4.1   # pin a version, avoid :latest
     security_opt:
       - no-new-privileges:true
     deploy:

UPGRADING.md

@@ -2,6 +2,19 @@
 
 Version-specific upgrade notes. The newest upgrade path is at the top.
 
+## 2.4.0 to 2.4.1
+
+A security patch with no configuration changes. Pull the new image and restart:
+
+```bash
+docker compose pull
+docker compose up -d
+```
+
+What changed: untrusted geo and release-note strings are now escaped in email,
+Telegram and Discord notifications (previously they were inserted unescaped).
+Recommended for anyone using those notifiers.
+
 ## 2.3.x to 2.4.0
 
 No breaking changes and nothing to configure. The application image is

docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   wanwatcher:
-    image: noxied/wanwatcher:2.4.0
+    image: noxied/wanwatcher:2.4.1
     container_name: wanwatcher
     restart: unless-stopped
 

docs/TROUBLESHOOTING.md

@@ -293,7 +293,7 @@ creating datasets for `/data` and `/logs`.
 Synology: create the shared folders in File Station first, give uid 1000
 write access, and use absolute paths in Container Manager.
 
-Raspberry Pi: the published image is multi-arch; `noxied/wanwatcher:2.4.0`
+Raspberry Pi: the published image is multi-arch; `noxied/wanwatcher:2.4.1`
 pulls the ARM64 variant automatically on a 64-bit OS. 32-bit ARM is not
 published; build locally if you need it.