feat(security): enhance email validation and sanitization

- Updates `isValidEmail` to strictly reject double quotes and backticks while allowing apostrophes.
- Applies `sanitizeInput` to email fields in Contact form payload (Defense in Depth).
- Adds tests for email validation edge cases.
- Updates Sentinel journal.

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>

src/pages/Contact.tsx

@@ -93,7 +93,7 @@ export function Contact() {
     try {
       const templateParams = {
         name: sanitizeInput(formData.name),
-        email: formData.email, // Email doesn't typically need HTML sanitization if validated by regex, but good practice to handle it if used in HTML context.
+        email: sanitizeInput(formData.email),
         title: sanitizeInput(formData.subject),
         message: sanitizeInput(formData.message),
         reply_to: formData.email,

src/utils/security.test.ts

@@ -48,6 +48,16 @@ describe('Security Utils', () => {
       expect(isValidEmail('user<name>@example.com')).toBe(false);
     });
 
+    it('rejects emails with double quotes and backticks', () => {
+      expect(isValidEmail('user"name@example.com')).toBe(false);
+      expect(isValidEmail('user`name@example.com')).toBe(false);
+    });
+
+    it('accepts emails with apostrophes', () => {
+      expect(isValidEmail("user'name@example.com")).toBe(true);
+      expect(isValidEmail("o'connor@example.com")).toBe(true);
+    });
+
     it('rejects emails with whitespace', () => {
       expect(isValidEmail('user @example.com')).toBe(false);
       expect(isValidEmail('user@ example.com')).toBe(false);

src/utils/security.ts

@@ -31,6 +31,6 @@ export function isValidEmail(email: string): boolean {
   // [^\s@<>]+ : Domain part - no whitespace, @, <, or >
   // \.        : Literal .
   // [^\s@<>]+ : TLD part - no whitespace, @, <, or >
-  const emailRegex = /^[^\s@<>]+@[^\s@<>]+\.[^\s@<>]+$/;
+  const emailRegex = /^[^\s@<>,"`]+@[^\s@<>,"`]+\.[^\s@<>,"`]+$/;
   return emailRegex.test(email);
 }