From eeaa812aa74e91ece7013afa7575e6214d427c5e Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Thu, 26 Mar 2026 14:08:35 +0900
Subject: [PATCH] fix: add esc() and sanitize app.label in innerHTML

---
 index.html | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/index.html b/index.html
index 6e0689c..e9c9831 100644
--- a/index.html
+++ b/index.html
@@ -973,6 +973,11 @@ const CAT_LABELS = {
 
 const CAT_ORDER = ['posimai','sns','media','news','tools','nav','shop'];
 
+// ── HTML エスケープ ─────────────────────────────────────────
+function esc(s) {
+    return String(s ?? '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;').replace(/'/g,'&#39;');
+}
+
 // ── カスタムアプリ ──────────────────────────────────────────
 function loadCustomApps() {
     try {
@@ -1147,21 +1152,21 @@ function renderApps() {
                         const isInitial = app.icon === '_initial';
 
                         const iconHTML = isInitial
-                            ? `<div class="app-initial" style="background:${color}22;color:${color}">${app.label.charAt(0).toUpperCase()}</div>`
-                            : `<i data-lucide="${app.icon}" class="app-icon" style="stroke:${color}"></i>`;
+                            ? `<div class="app-initial" style="background:${color}22;color:${color}">${esc(app.label).charAt(0).toUpperCase()}</div>`
+                            : `<i data-lucide="${esc(app.icon)}" class="app-icon" style="stroke:${color}"></i>`;
 
                         const delBtn = isCustom
-                            ? `<button class="custom-del-btn" data-del-id="${app.id}" aria-label="${app.label}を削除">&#x2715;</button>`
+                            ? `<button class="custom-del-btn" data-del-id="${app.id}" aria-label="${esc(app.label)}を削除">&#x2715;</button>`
                             : '';
 
                         return `
                             <div class="app-item${editCls}${hidden}"
                                  data-id="${app.id}" role="button" tabindex="0"
-                                 aria-label="${app.label}"
+                                 aria-label="${esc(app.label)}"
                                  style="${bgStyle}">
                                 ${delBtn}
                                 ${iconHTML}
-                                <span class="app-label">${app.label}</span>
+                                <span class="app-label">${esc(app.label)}</span>
                                 <span class="check-badge" aria-hidden="true"
                                       style="background:${color}">
                                     <i data-lucide="check"