From 133c46c086028824a4c8eb369b957e3334cca2ad Mon Sep 17 00:00:00 2001
From: WuYuuuub <625806558@qq.com>
Date: Tue, 13 Jan 2026 18:41:35 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20HTML=20=E8=BD=AC=E4=B9=89?=
 =?UTF-8?q?=EF=BC=8C=E9=98=B2=E6=AD=A2=E9=82=AE=E4=BB=B6=E5=86=85=E5=AE=B9?=
 =?UTF-8?q?=E4=B8=AD=E7=9A=84=20HTML=20=E6=B3=A8=E5=85=A5=E6=94=BB?=
 =?UTF-8?q?=E5=87=BB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pkg/email/email.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkg/email/email.go b/pkg/email/email.go
index e374b85..7855379 100644
--- a/pkg/email/email.go
+++ b/pkg/email/email.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/smtp"
 	"net/textproto"
+	"html"
 
 	"carrotskin/pkg/config"
 	
@@ -70,8 +71,6 @@ func (s *Service) send(to []string, subject, body string) error {
 	addr := fmt.Sprintf("%s:%d", s.cfg.SMTPHost, s.cfg.SMTPPort)
 	
 	// 判断端口决定发送方式
-	// 465端口使用SSL/TLS（隐式TLS）
-	// 587端口使用STARTTLS（显式TLS）
 	var err error
 	if s.cfg.SMTPPort == 465 {
 		// 使用SSL/TLS连接（适用于465端口）
@@ -132,6 +131,10 @@ func (s *Service) getBody(code, purpose string) string {
 		message = "您的验证码为："
 	}
 
+	// 转义 HTML 特殊字符
+	escapedMessage := html.EscapeString(message)
+	escapedCode := html.EscapeString(code)
+
 	return fmt.Sprintf(`
 <!DOCTYPE html>
 <html>
@@ -158,5 +161,5 @@ func (s *Service) getBody(code, purpose string) string {
     </div>
 </body>
 </html>
-	`, message, code)
+	`, escapedMessage, escapedCode)
 }