From dd09482bd59384e23bfc26253f2af4e346520ef9 Mon Sep 17 00:00:00 2001
From: furu04 <hi@furu04.com>
Date: Tue, 13 Jan 2026 09:56:50 +0900
Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=80=A7=E3=82=92=E5=90=91?=
 =?UTF-8?q?=E4=B8=8A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/handler/api_handler.go        |  11 ++
 internal/handler/assignment_handler.go |  22 +++
 internal/validation/validation.go      | 201 +++++++++++++++++++++++++
 web/static/js/app.js                   |  48 ++++--
 4 files changed, 272 insertions(+), 10 deletions(-)
 create mode 100644 internal/validation/validation.go

diff --git a/internal/handler/api_handler.go b/internal/handler/api_handler.go
index 8865c52..cec11bf 100644
--- a/internal/handler/api_handler.go
+++ b/internal/handler/api_handler.go
@@ -7,6 +7,7 @@ import (
 
 	"homework-manager/internal/middleware"
 	"homework-manager/internal/service"
+	"homework-manager/internal/validation"
 
 	"github.com/gin-gonic/gin"
 )
@@ -264,6 +265,11 @@ func (h *APIHandler) CreateAssignment(c *gin.Context) {
 		return
 	}
 
+	if err := validation.ValidateAssignmentInput(input.Title, input.Description, input.Subject, input.Priority); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
 	dueDate, err := parseDateString(input.DueDate)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid due_date format. Use RFC3339 or 2006-01-02T15:04"})
@@ -386,6 +392,11 @@ func (h *APIHandler) UpdateAssignment(c *gin.Context) {
 		return
 	}
 
+	if err := validation.ValidateAssignmentInput(input.Title, input.Description, input.Subject, input.Priority); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
 	title := input.Title
 	if title == "" {
 		title = existing.Title
diff --git a/internal/handler/assignment_handler.go b/internal/handler/assignment_handler.go
index cfe45b9..e5f865e 100644
--- a/internal/handler/assignment_handler.go
+++ b/internal/handler/assignment_handler.go
@@ -9,6 +9,7 @@ import (
 	"homework-manager/internal/middleware"
 	"homework-manager/internal/models"
 	"homework-manager/internal/service"
+	"homework-manager/internal/validation"
 
 	"github.com/gin-gonic/gin"
 )
@@ -126,6 +127,22 @@ func (h *AssignmentHandler) Create(c *gin.Context) {
 	priority := c.PostForm("priority")
 	dueDateStr := c.PostForm("due_date")
 
+	if err := validation.ValidateAssignmentInput(title, description, subject, priority); err != nil {
+		role, _ := c.Get(middleware.UserRoleKey)
+		name, _ := c.Get(middleware.UserNameKey)
+		RenderHTML(c, http.StatusOK, "assignments/new.html", gin.H{
+			"title":       "課題登録",
+			"error":       err.Error(),
+			"formTitle":   title,
+			"description": description,
+			"subject":     subject,
+			"priority":    priority,
+			"isAdmin":     role == "admin",
+			"userName":    name,
+		})
+		return
+	}
+
 	reminderEnabled := c.PostForm("reminder_enabled") == "on"
 	reminderAtStr := c.PostForm("reminder_at")
 	var reminderAt *time.Time
@@ -298,6 +315,11 @@ func (h *AssignmentHandler) Update(c *gin.Context) {
 	priority := c.PostForm("priority")
 	dueDateStr := c.PostForm("due_date")
 
+	if err := validation.ValidateAssignmentInput(title, description, subject, priority); err != nil {
+		c.Redirect(http.StatusFound, "/assignments")
+		return
+	}
+
 	reminderEnabled := c.PostForm("reminder_enabled") == "on"
 	reminderAtStr := c.PostForm("reminder_at")
 	var reminderAt *time.Time
diff --git a/internal/validation/validation.go b/internal/validation/validation.go
new file mode 100644
index 0000000..8412fd2
--- /dev/null
+++ b/internal/validation/validation.go
@@ -0,0 +1,201 @@
+package validation
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+	"unicode"
+)
+
+var MaxLengths = map[string]int{
+	"title":       200,
+	"description": 5000,
+	"subject":     100,
+	"priority":    20,
+}
+
+var xssPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`(?i)<\s*script`),               // <script with optional space
+	regexp.MustCompile(`(?i)</\s*script`),              // </script
+	regexp.MustCompile(`(?i)javascript\s*:`),           // javascript:
+	regexp.MustCompile(`(?i)on\w+\s*=`),                // onclick=, onerror=, etc.
+	regexp.MustCompile(`(?i)<\s*iframe`),               // <iframe
+	regexp.MustCompile(`(?i)<\s*object`),               // <object
+	regexp.MustCompile(`(?i)<\s*embed`),                // <embed
+	regexp.MustCompile(`(?i)<\s*svg[^>]*on\w+\s*=`),    // <svg with event handler
+	regexp.MustCompile(`(?i)data\s*:\s*text/html`),     // data:text/html
+	regexp.MustCompile(`(?i)<\s*img[^>]*on\w+\s*=`),    // <img with event handler
+	regexp.MustCompile(`(?i)expression\s*\(`),          // CSS expression()
+	regexp.MustCompile(`(?i)alert\s*\(`),               // alert()
+	regexp.MustCompile(`(?i)confirm\s*\(`),             // confirm()
+	regexp.MustCompile(`(?i)prompt\s*\(`),              // prompt()
+	regexp.MustCompile(`(?i)document\s*\.\s*cookie`),   // document.cookie
+	regexp.MustCompile(`(?i)document\s*\.\s*location`), // document.location
+	regexp.MustCompile(`(?i)window\s*\.\s*location`),   // window.location
+}
+
+// SQL injection detection patterns (common attack signatures)
+var sqlInjectionPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`(?i)'\s*or\s+`),                                         // ' OR (simplified)
+	regexp.MustCompile(`(?i)'\s*and\s+`),                                        // ' AND
+	regexp.MustCompile(`(?i)"\s*or\s+`),                                         // " OR
+	regexp.MustCompile(`(?i)"\s*and\s+`),                                        // " AND
+	regexp.MustCompile(`(?i)union\s+(all\s+)?select`),                           // UNION SELECT
+	regexp.MustCompile(`(?i);\s*(drop|delete|update|insert|alter|truncate)\s+`), // ; DROP etc
+	regexp.MustCompile(`(?i)--\s*$`),                                            // SQL comment at end
+	regexp.MustCompile(`(?i)/\*.*\*/`),                                          // SQL block comment
+	regexp.MustCompile(`(?i)'\s*;\s*`),                                          // '; (statement termination)
+	regexp.MustCompile(`(?i)exec\s*\(`),                                         // EXEC(
+	regexp.MustCompile(`(?i)xp_\w+`),                                            // xp_cmdshell etc.
+	regexp.MustCompile(`(?i)load_file\s*\(`),                                    // MySQL LOAD_FILE
+	regexp.MustCompile(`(?i)into\s+(out|dump)file`),                             // MySQL file operations
+	regexp.MustCompile(`(?i)benchmark\s*\(`),                                    // MySQL BENCHMARK
+	regexp.MustCompile(`(?i)sleep\s*\(\s*\d`),                                   // SLEEP()
+	regexp.MustCompile(`(?i)waitfor\s+delay`),                                   // WAITFOR DELAY
+	regexp.MustCompile(`(?i)1\s*=\s*1`),                                         // 1=1
+	regexp.MustCompile(`(?i)'1'\s*=\s*'1`),                                      // '1'='1
+}
+
+// Path traversal detection patterns
+var pathTraversalPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`\.\.[\\/]`),
+	regexp.MustCompile(`\.\.%2[fF]`),
+	regexp.MustCompile(`%2e%2e[\\/]`),
+	regexp.MustCompile(`\.\./`),  // ../
+	regexp.MustCompile(`\.\.\\`), // ..\
+}
+
+// Command injection detection patterns
+var commandInjectionPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`^\s*;`),       // starts with semicolon
+	regexp.MustCompile(`;\s*\w+`),     // ; followed by command
+	regexp.MustCompile(`\|\s*\w+`),    // | pipe to command
+	regexp.MustCompile("`[^`]+`"),     // backtick execution
+	regexp.MustCompile(`\$\([^)]+\)`), // $(command) execution
+	regexp.MustCompile(`&&\s*\w+`),    // && chained command
+	regexp.MustCompile(`\|\|\s*\w+`),  // || chained command
+}
+
+// ValidationError represents a validation failure
+type ValidationError struct {
+	Field   string
+	Message string
+}
+
+func (e *ValidationError) Error() string {
+	return fmt.Sprintf("%s: %s", e.Field, e.Message)
+}
+
+// ValidateAssignmentInput validates assignment creation/update input
+func ValidateAssignmentInput(title, description, subject, priority string) error {
+	// Validate title
+	if err := ValidateField("title", title, true); err != nil {
+		return err
+	}
+
+	// Validate description
+	if err := ValidateField("description", description, false); err != nil {
+		return err
+	}
+
+	// Validate subject
+	if err := ValidateField("subject", subject, false); err != nil {
+		return err
+	}
+
+	// Validate priority
+	if err := ValidateField("priority", priority, false); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ValidateField validates a single field
+func ValidateField(fieldName, value string, required bool) error {
+	// Check required
+	if required && strings.TrimSpace(value) == "" {
+		return &ValidationError{Field: fieldName, Message: "必須項目です"}
+	}
+
+	// Skip further validation if empty and not required
+	if value == "" {
+		return nil
+	}
+
+	// Check max length
+	if maxLen, ok := MaxLengths[fieldName]; ok {
+		if len(value) > maxLen {
+			return &ValidationError{
+				Field:   fieldName,
+				Message: fmt.Sprintf("最大%d文字までです", maxLen),
+			}
+		}
+	}
+
+	// Check for control characters (except newline in description)
+	if fieldName != "description" {
+		for _, r := range value {
+			if unicode.IsControl(r) && r != '\n' && r != '\r' && r != '\t' {
+				return &ValidationError{
+					Field:   fieldName,
+					Message: "不正な制御文字が含まれています",
+				}
+			}
+		}
+	}
+
+	// Check for XSS patterns
+	for _, pattern := range xssPatterns {
+		if pattern.MatchString(value) {
+			return &ValidationError{
+				Field:   fieldName,
+				Message: "潜在的に危険なHTMLタグまたはスクリプトが含まれています",
+			}
+		}
+	}
+
+	// Check for SQL injection patterns
+	for _, pattern := range sqlInjectionPatterns {
+		if pattern.MatchString(value) {
+			return &ValidationError{
+				Field:   fieldName,
+				Message: "潜在的に危険なSQL構文が含まれています",
+			}
+		}
+	}
+
+	// Check for path traversal patterns
+	for _, pattern := range pathTraversalPatterns {
+		if pattern.MatchString(value) {
+			return &ValidationError{
+				Field:   fieldName,
+				Message: "不正なパス文字列が含まれています",
+			}
+		}
+	}
+
+	// Check for command injection patterns
+	for _, pattern := range commandInjectionPatterns {
+		if pattern.MatchString(value) {
+			return &ValidationError{
+				Field:   fieldName,
+				Message: "潜在的に危険なコマンド構文が含まれています",
+			}
+		}
+	}
+
+	return nil
+}
+
+// SanitizeString removes potentially dangerous characters while preserving readability
+// This is a secondary defense - validation should catch issues first
+func SanitizeString(s string) string {
+	// Remove null bytes
+	s = strings.ReplaceAll(s, "\x00", "")
+
+	// Normalize whitespace
+	s = strings.TrimSpace(s)
+
+	return s
+}
diff --git a/web/static/js/app.js b/web/static/js/app.js
index cff7f03..69f9eba 100644
--- a/web/static/js/app.js
+++ b/web/static/js/app.js
@@ -1,28 +1,56 @@
-// Homework Manager JavaScript
+const XSS = {
+    escapeHtml: function (str) {
+        if (str === null || str === undefined) return '';
+        const div = document.createElement('div');
+        div.textContent = str;
+        return div.innerHTML;
+    },
 
-document.addEventListener('DOMContentLoaded', function() {
-    // Auto-dismiss alerts after 5 seconds (exclude alerts inside modals)
+    setTextSafe: function (element, text) {
+        if (element) {
+            element.textContent = text;
+        }
+    },
+
+    sanitizeUrl: function (url) {
+        if (!url) return '';
+        const cleaned = String(url).replace(/[\x00-\x1F\x7F]/g, '').trim();
+        try {
+            const parsed = new URL(cleaned, window.location.origin);
+            if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
+                return parsed.href;
+            }
+        } catch (e) {
+            if (cleaned.startsWith('/') && !cleaned.startsWith('//')) {
+                return cleaned;
+            }
+        }
+        return '';
+    }
+};
+
+window.XSS = XSS;
+
+document.addEventListener('DOMContentLoaded', function () {
     const alerts = document.querySelectorAll('.alert:not(.alert-danger):not(.modal .alert)');
-    alerts.forEach(function(alert) {
-        setTimeout(function() {
+    alerts.forEach(function (alert) {
+        setTimeout(function () {
             alert.classList.add('fade');
-            setTimeout(function() {
+            setTimeout(function () {
                 alert.remove();
             }, 150);
         }, 5000);
     });
 
-    // Confirm dialogs for dangerous actions
     const confirmForms = document.querySelectorAll('form[data-confirm]');
-    confirmForms.forEach(function(form) {
-        form.addEventListener('submit', function(e) {
+    confirmForms.forEach(function (form) {
+        form.addEventListener('submit', function (e) {
             if (!confirm(form.dataset.confirm)) {
                 e.preventDefault();
             }
         });
     });
 
-    // Set default datetime to now + 1 day for new assignments
     const dueDateInput = document.getElementById('due_date');
     if (dueDateInput && !dueDateInput.value) {
         const tomorrow = new Date();