feat(security): harden input sanitization and expand blocked domains

- Escape backticks in `sanitizeInput` to prevent template injection risks - Add `sharklasers.com` and `guerrillamail.net` to blocked email domains - Update `src/utils/security.test.ts` with new test cases Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
2026-02-07 01:40:06 +00:00
parent 2587b9dd29
commit 637b3d9dcd
3 changed files with 12 additions and 1 deletions
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -27,3 +27,8 @@
 **Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
 **Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
 **Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
+
+## 2026-02-14 - Incomplete Sanitization Implementation
+**Vulnerability:** Security utilities (`sanitizeInput`) did not fully implement the documented protection (missing backtick escaping), and blocklists were incomplete.
+**Learning:** Documentation and guidelines (even memories) can diverge from implementation. Regular audits are necessary to ensure the code actually matches the security specifications.
+**Prevention:** Add specific unit tests for every character and domain in security specifications to prevent regression or incomplete implementation.
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -10,6 +10,7 @@ describe('Security Utils', () => {
      expect(sanitizeInput('foo & bar')).toBe('foo &amp; bar');
      expect(sanitizeInput('"quotes"')).toBe('&quot;quotes&quot;');
      expect(sanitizeInput("'single quotes'")).toBe('&#039;single quotes&#039;');
+      expect(sanitizeInput('`backticks`')).toBe('&#96;backticks&#96;');
      expect(sanitizeInput('>')).toBe('&gt;');
    });

@@ -74,6 +75,8 @@ describe('Security Utils', () => {
      expect(isValidEmail('spam@mailinator.com')).toBe(false);
      expect(isValidEmail('bot@yopmail.com')).toBe(false);
      expect(isValidEmail('temp@temp-mail.org')).toBe(false);
+      expect(isValidEmail('spam@sharklasers.com')).toBe(false);
+      expect(isValidEmail('spam@guerrillamail.net')).toBe(false);
    });

    it('rejects blocked domains regardless of case', () => {
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }

 // Common disposable email providers and invalid domains
@@ -25,6 +26,8 @@ const BLOCKED_DOMAINS = new Set([
  "yopmail.com",
  "temp-mail.org",
  "guerrillamail.com",
+  "guerrillamail.net",
+  "sharklasers.com",
  "10minutemail.com",
  "trashmail.com",
 ]);