ragusa-it/ragusaitweb
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: ragusa-it:main
Branches Tags
ragusa-it:main ragusa-it:bolt-optimize-gradientblinds-gc-6327826835632059233 ragusa-it:palette-skiplink-5651691488283915033 ragusa-it:sentinel-security-enhancement-backticks-and-domains-12355386453957124996 ragusa-it:palette-ux-skip-link-4183261526673199462 ragusa-it:sentinel-sanitize-backticks-16098235277815990620 ragusa-it:bolt/optimize-gradient-blinds-5552097332919267137
...
pull from: ragusa-it:sentinel-sanitize-backticks-16098235277815990620
Branches Tags
ragusa-it:main ragusa-it:bolt-optimize-gradientblinds-gc-6327826835632059233 ragusa-it:palette-skiplink-5651691488283915033 ragusa-it:sentinel-security-enhancement-backticks-and-domains-12355386453957124996 ragusa-it:palette-ux-skip-link-4183261526673199462 ragusa-it:sentinel-sanitize-backticks-16098235277815990620 ragusa-it:bolt/optimize-gradient-blinds-5552097332919267137

1 Commits

Author SHA1 Message Date
google-labs-jules[bot]
5d9f78d64f feat(security): escape backticks in input sanitization 
Enhances `sanitizeInput` to replace backticks (`) with ``` to prevent potential injection attacks in JavaScript template literal contexts.
Adds a test case to verify this behavior.
Records a critical learning in `.jules/sentinel.md`.

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
 2026-01-31 01:57:32 +00:00
3 changed files with 12 additions and 1 deletions
Expand all files Collapse all files

5
.jules/sentinel.md
View File

@@ -27,3 +27,8 @@
**Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data. **Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
**Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense. **Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
**Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation. **Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
## 2026-02-14 - Backtick Escaping in Sanitization
**Vulnerability:** Standard HTML entity encoding often overlooks backticks (`` ` ``), which are dangerous in JavaScript template literals.
**Learning:** While `&`, `<`, `>`, `"`, `'` are standard, backticks are unique to modern JS. If a sanitized string is interpolated into a JS template literal, an unescaped backtick can break out of the string context and allow arbitrary code execution.
**Prevention:** Always include `.replace(/`/g, "&#96;")` in custom HTML sanitization functions to prevent injection in JS contexts.

5
src/utils/security.test.ts
View File

@@ -25,6 +25,11 @@ describe('Security Utils', () => {
const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'; const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;';
expect(sanitizeInput(input)).toBe(expected); expect(sanitizeInput(input)).toBe(expected);
}); });
it('escapes backticks', () => {
expect(sanitizeInput('`')).toBe('&#96;');
expect(sanitizeInput('user`name')).toBe('user&#96;name');
});
}); });
describe('isValidEmail', () => { describe('isValidEmail', () => {

3
src/utils/security.ts
View File

@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
.replace(/</g, "&lt;") .replace(/</g, "&lt;")
.replace(/>/g, "&gt;") .replace(/>/g, "&gt;")
.replace(/"/g, "&quot;") .replace(/"/g, "&quot;")
.replace(/'/g, "&#039;"); .replace(/'/g, "&#039;")
.replace(/`/g, "&#96;");
} }
// Common disposable email providers and invalid domains // Common disposable email providers and invalid domains