Skip to content

Fix HTML injection in email templates and harden server-side validation#1

Draft
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-security-bugs
Draft

Fix HTML injection in email templates and harden server-side validation#1
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-security-bugs

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 21, 2026
edited
Loading

User input is interpolated directly into HTML email bodies without escaping, enabling HTML/script injection in both notification and auto-reply emails. Server endpoints also lack input validation and leak internal error details to clients.

Changes

  • HTML escaping — Added escapeHtml() to sanitize name, email, subject, message before embedding in HTML email templates across server/index.js, netlify/functions/contact.js, and project/server/index.js
function escapeHtml(str) {
  return String(str)
    .replace(/&/g, '&')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}
  • Input validation — Added required-field checks with .trim() and email format validation via regex on all server-side handlers
  • Error leakage — Replaced res.status(500).json({ error: error.message }) with a generic message to avoid exposing SMTP internals to clients

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@netlify
Copy link
Copy Markdown

netlify Bot commented Feb 21, 2026
edited
Loading

Deploy Preview for harshitkulkarnisportfolio ready!

Name Link
🔨 Latest commit bbee637
🔍 Latest deploy log https://app.netlify.com/projects/harshitkulkarnisportfolio/deploys/699968d32fc8f800085ffc4e
😎 Deploy Preview https://deploy-preview-1--harshitkulkarnisportfolio.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@vercel
Copy link
Copy Markdown

vercel Bot commented Feb 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
harshit-kulkarni-portfolio Ready Ready Preview, Comment Feb 21, 2026 8:12am

@kulharshit21
Fix HTML injection (XSS) in email templates and add input validation
dec09d7 
- Add escapeHtml() to sanitize user input before embedding in HTML emails
- Apply sanitization in server/index.js, netlify/functions/contact.js, and project/server/index.js
- Add missing server-side input validation in server/index.js
- Prevent internal error message leakage to clients

Co-authored-by: kulharshit21 <124128807+kulharshit21@users.noreply.github.com>
@kulharshit21
Add email validation and trim whitespace in input validation
bbee637 
Co-authored-by: kulharshit21 <124128807+kulharshit21@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security bugs and errors Fix HTML injection in email templates and harden server-side validation Feb 21, 2026
Copilot AI requested a review from kulharshit21 February 21, 2026 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kulharshit21 kulharshit21 Awaiting requested review from kulharshit21

Assignees

@kulharshit21 kulharshit21

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kulharshit21