Skip to content

Fix HTML injection and harden server-side contact form handlers#2

Draft
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-security-bugs-again
Draft

Fix HTML injection and harden server-side contact form handlers#2
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-security-bugs-again

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 21, 2026
edited
Loading

Both server/index.js and netlify/functions/contact.js interpolate user input directly into HTML email bodies, enabling HTML injection. The Express server also lacks input validation, rate limiting, body size limits, and leaks internal error details.

HTML injection in email templates

User-controlled fields (name, email, subject, message) were interpolated unsanitized into HTML:

// Before — attacker can inject arbitrary HTML
html: `<p><strong>Name:</strong> ${name}</p>`

// After — escaped before interpolation
const safeName = escapeHtml(name);
html: `<p><strong>Name:</strong> ${safeName}</p>`

Added escapeHtml() to both server/index.js and netlify/functions/contact.js.

Missing hardening in server/index.js

  • Input validation — required field checks + email format regex (Netlify function had this; Express server did not)
  • Rate limiting — in-memory per-IP rate limit (1 req/min), matching the Netlify function
  • Body size limitexpress.json({ limit: '1kb' })
  • Error leakingerror.message was returned to client; replaced with generic message

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@vercel
Copy link
Copy Markdown

vercel Bot commented Feb 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
harshit-kulkarni-portfolio Ready Ready Preview, Comment Feb 21, 2026 8:17am

@netlify
Copy link
Copy Markdown

netlify Bot commented Feb 21, 2026
edited
Loading

Deploy Preview for harshitkulkarnisportfolio ready!

Name Link
🔨 Latest commit 1b0b500
🔍 Latest deploy log https://app.netlify.com/projects/harshitkulkarnisportfolio/deploys/69996a0509f37a0008f3057e
😎 Deploy Preview https://deploy-preview-2--harshitkulkarnisportfolio.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@kulharshit21
Fix security vulnerabilities: HTML injection, input validation, error…
1aa8679 
… leaking, rate limiting

- Add HTML escaping (escapeHtml) to sanitize user input in email templates
  in both server/index.js and netlify/functions/contact.js to prevent
  HTML injection/XSS attacks
- Add input validation (required fields check) to server/index.js
- Add server-side email format validation to both server files
- Fix internal error message leaking to client in server/index.js
  (now returns generic error message)
- Add request body size limit (1kb) to server/index.js
- Add rate limiting to server/index.js (matching netlify function)

Co-authored-by: kulharshit21 <124128807+kulharshit21@users.noreply.github.com>
@kulharshit21
Address code review: improve email regex, add named cleanup constant
1b0b500 
Co-authored-by: kulharshit21 <124128807+kulharshit21@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security bugs and address errors Fix HTML injection and harden server-side contact form handlers Feb 21, 2026
Copilot AI requested a review from kulharshit21 February 21, 2026 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kulharshit21 kulharshit21 Awaiting requested review from kulharshit21

Assignees

@kulharshit21 kulharshit21

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kulharshit21