ragusa-it/ragusaitweb
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

feat(security): escape backticks in input sanitization

Browse Source 
Enhances `sanitizeInput` to replace backticks (`) with ``` to prevent potential injection attacks in JavaScript template literal contexts.
Adds a test case to verify this behavior.
Records a critical learning in `.jules/sentinel.md`.

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
This commit is contained in:
google-labs-jules[bot]
2026-01-31 01:57:32 +00:00
parent 2587b9dd29
commit 5d9f78d64f
3 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.jules/sentinel.md
View File

@@ -27,3 +27,8 @@
**Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
**Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
**Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
## 2026-02-14 - Backtick Escaping in Sanitization
**Vulnerability:** Standard HTML entity encoding often overlooks backticks (`` ` ``), which are dangerous in JavaScript template literals.
**Learning:** While `&`, `<`, `>`, `"`, `'` are standard, backticks are unique to modern JS. If a sanitized string is interpolated into a JS template literal, an unescaped backtick can break out of the string context and allow arbitrary code execution.
**Prevention:** Always include `.replace(/`/g, "&#96;")` in custom HTML sanitization functions to prevent injection in JS contexts.