diff --git a/bot.py b/bot.py
index 5cd6cf6..0f5148f 100644
--- a/bot.py
+++ b/bot.py
@@ -5,6 +5,7 @@ autoClaude Telegram Bot
 """
 
 import asyncio
+import html
 import json
 import logging
 import os
@@ -301,7 +302,7 @@ async def cmd_proxytest(update: Update, context: ContextTypes.DEFAULT_TYPE):
                 f"🔍 <b>代理测试中...</b>\n"
                 f"{_progress_bar(current, total)}\n\n"
                 f"✅ 通过: {ok_count}  ❌ 失败: {fail_count}\n\n"
-                f"最新: {icon} <code>{result['proxy']}</code> {latency}"
+                f"最新: {icon} <code>{html.escape(str(result['proxy']))}</code> {latency}"
             )
 
             asyncio.run_coroutine_threadsafe(
@@ -326,10 +327,11 @@ async def cmd_proxytest(update: Update, context: ContextTypes.DEFAULT_TYPE):
         icon = "✅" if r["ok"] else "❌"
         latency = f"{r['latency_ms']}ms" if r['latency_ms'] > 0 else "-"
         prio = r.get('priority', '-')
-        text += f"{icon} <code>{r['proxy']}</code>\n"
+        proxy_display = html.escape(str(r['proxy']))
+        text += f"{icon} <code>{proxy_display}</code>\n"
         text += f"   延迟: {latency} | 优先级: {prio}\n"
         if not r["ok"]:
-            text += f"   错误: {r.get('error', '?')}\n"
+            text += f"   错误: {html.escape(str(r.get('error', '?')))}\n"
 
     if len(text) > 4000:
         text = text[:4000] + "\n...（已截断）"
@@ -350,8 +352,9 @@ async def cmd_proxystatus(update: Update, context: ContextTypes.DEFAULT_TYPE):
 
     for i, item in enumerate(items, 1):
         icon = "✅" if item["last_ok"] else "❌"
+        proxy_display = html.escape(str(item['proxy']))
         text += (
-            f"{i}. {icon} <code>{item['proxy']}</code>\n"
+            f"{i}. {icon} <code>{proxy_display}</code>\n"
             f"   优先级: {item['priority']} | "
             f"延迟: {item['latency_ms']}ms | "
             f"✅{item['success']} ❌{item['fail']}\n"