feat(security): enhance input sanitization and domain blocking

- Update `sanitizeInput` in `src/utils/security.ts` to escape backticks (`) to ``` preventing potential JS template literal injection.
- Add common disposable email domains (e.g., sharklasers.com, dispostable.com) to `BLOCKED_DOMAINS` in `src/utils/security.ts`.
- Update tests in `src/utils/security.test.ts` to verify new security measures.
- Record security learning in `.jules/sentinel.md`.

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>

.jules/sentinel.md

@@ -27,3 +27,8 @@
 **Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
 **Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
 **Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
+
+## 2026-02-14 - Backtick Injection in Template Strings
+**Vulnerability:** Standard HTML sanitization often ignores backticks (` `), which can be dangerous if the sanitized string is injected into a JavaScript template literal context.
+**Learning:** While HTML entities (`<`, `"`) protect HTML contexts, modern JS uses backticks for strings. Failing to escape them allows attackers to break out of the string boundary if the data is used in a JS context.
+**Prevention:** Explicitly replace backticks with ``` in sanitization routines intended for general-purpose use.