From 5d9f78d64fa83fd47fc2ebd4073f8c978a2c86cf Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 31 Jan 2026 01:57:32 +0000
Subject: [PATCH] feat(security): escape backticks in input sanitization

Enhances `sanitizeInput` to replace backticks (`) with `&#96;` to prevent potential injection attacks in JavaScript template literal contexts.
Adds a test case to verify this behavior.
Records a critical learning in `.jules/sentinel.md`.

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
---
 .jules/sentinel.md         | 5 +++++
 src/utils/security.test.ts | 5 +++++
 src/utils/security.ts      | 3 ++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index fa5439f..c25ee23 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -27,3 +27,8 @@
 **Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
 **Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
 **Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
+
+## 2026-02-14 - Backtick Escaping in Sanitization
+**Vulnerability:** Standard HTML entity encoding often overlooks backticks (`` ` ``), which are dangerous in JavaScript template literals.
+**Learning:** While `&`, `<`, `>`, `"`, `'` are standard, backticks are unique to modern JS. If a sanitized string is interpolated into a JS template literal, an unescaped backtick can break out of the string context and allow arbitrary code execution.
+**Prevention:** Always include `.replace(/`/g, "&#96;")` in custom HTML sanitization functions to prevent injection in JS contexts.
diff --git a/src/utils/security.test.ts b/src/utils/security.test.ts
index 428c373..44e79f1 100644
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -25,6 +25,11 @@ describe('Security Utils', () => {
       const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;';
       expect(sanitizeInput(input)).toBe(expected);
     });
+
+    it('escapes backticks', () => {
+      expect(sanitizeInput('`')).toBe('&#96;');
+      expect(sanitizeInput('user`name')).toBe('user&#96;name');
+    });
   });
 
   describe('isValidEmail', () => {
diff --git a/src/utils/security.ts b/src/utils/security.ts
index ec68c79..475e12b 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }
 
 // Common disposable email providers and invalid domains