diff --git a/gotelegram-bot/bot.py b/gotelegram-bot/bot.py
index f22eb9c..89f0683 100644
--- a/gotelegram-bot/bot.py
+++ b/gotelegram-bot/bot.py
@@ -886,11 +886,21 @@ def _validate_custom_git_url(url: str) -> bool:
     if not url or len(url) > 512:
         return False
     # Block shell metacharacters explicitly
-    for bad in (" ", "`", "$", "(", ")", "<", ">", "|", "\\", "\t", "\n", "\r", ";", "&"):
+    for bad in (" ", "`", "$", "(", ")", "<", ">", "|", "\\", "\t", "\n", "\r", ";", "&", "'", '"'):
         if bad in url:
             return False
     if not url.lower().startswith("https://"):
         return False
+    # Reject embedded userinfo (https://user:pass@host/...) to prevent credential leakage.
+    # We look at the netloc — anything between https:// and the first '/'.
+    rest = url[len("https://"):]
+    netloc_end = rest.find("/")
+    netloc = rest if netloc_end == -1 else rest[:netloc_end]
+    if "@" in netloc:
+        return False
+    # Hostname sanity: no empty host, no whitespace already blocked above
+    if not netloc or netloc.startswith(":") or netloc.endswith(":"):
+        return False
     return True