3 changed files with 12 additions and 1 deletions
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -27,3 +27,8 @@
 **Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data.
 **Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense.
 **Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation.
+
+## 2026-02-14 - Backtick Escaping in Sanitization
+**Vulnerability:** Standard HTML entity encoding often overlooks backticks (`` ` ``), which are dangerous in JavaScript template literals.
+**Learning:** While `&`, `<`, `>`, `"`, `'` are standard, backticks are unique to modern JS. If a sanitized string is interpolated into a JS template literal, an unescaped backtick can break out of the string context and allow arbitrary code execution.
+**Prevention:** Always include `.replace(/`/g, "&#96;")` in custom HTML sanitization functions to prevent injection in JS contexts.
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -25,6 +25,11 @@ describe('Security Utils', () => {
      const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;';
      expect(sanitizeInput(input)).toBe(expected);
    });
+
+    it('escapes backticks', () => {
+      expect(sanitizeInput('`')).toBe('&#96;');
+      expect(sanitizeInput('user`name')).toBe('user&#96;name');
+    });
  });

  describe('isValidEmail', () => {
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }

 // Common disposable email providers and invalid domains