From d8927d26f3d24e5ce52a17c37a2f01d6d097439d Mon Sep 17 00:00:00 2001
From: Steven Kalt <kalt.steven@gmail.com>
Date: Sat, 24 Jan 2026 12:34:38 -0500
Subject: [PATCH] fix: escape html/markdown in titles

---
 markdown_writer.go | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/markdown_writer.go b/markdown_writer.go
index 049f7c3..3b81bf6 100644
--- a/markdown_writer.go
+++ b/markdown_writer.go
@@ -82,7 +82,7 @@ func (w MarkdownWriter) WriteSummary(content string, newLine bool) string {
 
 func (w MarkdownWriter) WriteHeader(feed *gofeed.Feed) string {
 	favicon := w.getFaviconHTML(feed)
-	return fmt.Sprintf("\n### %s %s\n", favicon, feed.Title)
+	return fmt.Sprintf("\n### %s %s\n", favicon, escapeMd(feed.Title))
 }
 
 // Helper method specifically for MarkdownWriter
@@ -105,3 +105,23 @@ func (w MarkdownWriter) getFaviconHTML(s *gofeed.Feed) string {
 
 	return fmt.Sprintf(`<img src="%s" width="32" height="32" />`, src)
 }
+
+func escapeMd(raw string) (safe string) {
+	out := strings.Builder{}
+	out.Grow(len(raw))
+	i := 0
+	for i < len(raw) {
+		b := raw[i] // we're only escaping ascii characters, so iterating over bytes is fine
+		switch b {
+		case '\\', '<', '>', '[', ']':
+			if err := out.WriteByte('\\'); err != nil {
+				panic(err)
+			}
+		}
+		if err := out.WriteByte(b); err != nil {
+			panic(err)
+		}
+	}
+
+	return out.String()
+}