security: store/contact HTMLメールインジェクション修正

- name/email/subject/message を escapeHtml() でエスケープ - 既存の escapeHtml() 関数（行76）を活用。管理者宛メール本文でのHTML注入を防止 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 22:17:04 +09:00 · 2026-04-25 22:17:04 +09:00 · b34f7f1f36
parent 48f539dc66
commit b34f7f1f36
1 changed files with 5 additions and 5 deletions
--- a/server.js
+++ b/server.js
@ -3337,12 +3337,12 @@ ${excerpt}
                    to: ['posimai.project@gmail.com'],
                    reply_to: email,
                    subject: `[Store お問い合わせ] ${typeLabel}`,
-                    html: `<p><strong>種別:</strong> ${typeLabel}</p>
-                           <p><strong>名前:</strong> ${name}</p>
-                           <p><strong>メール:</strong> ${email}</p>
-                           ${subject ? `<p><strong>件名:</strong> ${subject}</p>` : ''}
+                    html: `<p><strong>種別:</strong> ${escapeHtml(typeLabel)}</p>
+                           <p><strong>名前:</strong> ${escapeHtml(name)}</p>
+                           <p><strong>メール:</strong> ${escapeHtml(email)}</p>
+                           ${subject ? `<p><strong>件名:</strong> ${escapeHtml(subject)}</p>` : ''}
                           <p><strong>メッセージ:</strong></p>
-                           <pre style="white-space:pre-wrap">${message}</pre>`,
+                           <pre style="white-space:pre-wrap">${escapeHtml(message)}</pre>`,
                }),
            });
            if (!emailRes.ok) {