diff --git a/server.js b/server.js
index cd7929fc..2ccceb41 100644
--- a/server.js
+++ b/server.js
@@ -3337,12 +3337,12 @@ ${excerpt}
                     to: ['posimai.project@gmail.com'],
                     reply_to: email,
                     subject: `[Store お問い合わせ] ${typeLabel}`,
-                    html: `<p><strong>種別:</strong> ${typeLabel}</p>
-                           <p><strong>名前:</strong> ${name}</p>
-                           <p><strong>メール:</strong> ${email}</p>
-                           ${subject ? `<p><strong>件名:</strong> ${subject}</p>` : ''}
+                    html: `<p><strong>種別:</strong> ${escapeHtml(typeLabel)}</p>
+                           <p><strong>名前:</strong> ${escapeHtml(name)}</p>
+                           <p><strong>メール:</strong> ${escapeHtml(email)}</p>
+                           ${subject ? `<p><strong>件名:</strong> ${escapeHtml(subject)}</p>` : ''}
                            <p><strong>メッセージ:</strong></p>
-                           <pre style="white-space:pre-wrap">${message}</pre>`,
+                           <pre style="white-space:pre-wrap">${escapeHtml(message)}</pre>`,
                 }),
             });
             if (!emailRes.ok) {