feat(security): escape backticks in sanitizeInput

- Update `sanitizeInput` in `src/utils/security.ts` to escape backticks (`) to ```. - Add test case in `src/utils/security.test.ts` to verify backtick escaping. - This mitigates potential XSS risks in contexts where template literals might be used. Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
2026-02-05 01:57:50 +00:00
parent 2587b9dd29
commit 729d19e075
2 changed files with 6 additions and 1 deletions
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -13,6 +13,10 @@ describe('Security Utils', () => {
      expect(sanitizeInput('>')).toBe('&gt;');
    });

+    it('escapes backticks', () => {
+      expect(sanitizeInput('`exec`')).toBe('&#96;exec&#96;');
+    });
+
    it('returns non-string input as is', () => {
      // @ts-ignore
      expect(sanitizeInput(123)).toBe(123);
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }

 // Common disposable email providers and invalid domains