From 4191e829cbc329e3a037e0a9dde797926d83c18c Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sun, 1 Feb 2026 01:55:26 +0000 Subject: [PATCH] feat(security): enhance input sanitization and domain blocking - Update `sanitizeInput` in `src/utils/security.ts` to escape backticks (`) to ``` preventing potential JS template literal injection. - Add common disposable email domains (e.g., sharklasers.com, dispostable.com) to `BLOCKED_DOMAINS` in `src/utils/security.ts`. - Update tests in `src/utils/security.test.ts` to verify new security measures. - Record security learning in `.jules/sentinel.md`. Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com> --- .jules/sentinel.md | 5 +++++ src/utils/security.test.ts | 3 +++ src/utils/security.ts | 8 +++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index fa5439f..e013cda 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -27,3 +27,8 @@ **Vulnerability:** Allowing users to register or submit forms with disposable email addresses (e.g., mailinator.com) can lead to spam, abuse, and polluted data. **Learning:** While true email verification requires a backend or API, a simple client-side blocklist of common disposable domains is a highly effective, low-cost first line of defense. **Prevention:** Maintain a list of known disposable domains (e.g., `BLOCKED_DOMAINS`) and check the domain part of the email address during validation. + +## 2026-02-14 - Backtick Injection in Template Strings +**Vulnerability:** Standard HTML sanitization often ignores backticks (` `), which can be dangerous if the sanitized string is injected into a JavaScript template literal context. +**Learning:** While HTML entities (`<`, `"`) protect HTML contexts, modern JS uses backticks for strings. Failing to escape them allows attackers to break out of the string boundary if the data is used in a JS context. +**Prevention:** Explicitly replace backticks with ``` in sanitization routines intended for general-purpose use. diff --git a/src/utils/security.test.ts b/src/utils/security.test.ts index 428c373..d855c7f 100644 --- a/src/utils/security.test.ts +++ b/src/utils/security.test.ts @@ -10,6 +10,7 @@ describe('Security Utils', () => { expect(sanitizeInput('foo & bar')).toBe('foo & bar'); expect(sanitizeInput('"quotes"')).toBe('"quotes"'); expect(sanitizeInput("'single quotes'")).toBe(''single quotes''); + expect(sanitizeInput('`backticks`')).toBe('`backticks`'); expect(sanitizeInput('>')).toBe('>'); }); @@ -74,6 +75,8 @@ describe('Security Utils', () => { expect(isValidEmail('spam@mailinator.com')).toBe(false); expect(isValidEmail('bot@yopmail.com')).toBe(false); expect(isValidEmail('temp@temp-mail.org')).toBe(false); + expect(isValidEmail('spam@sharklasers.com')).toBe(false); + expect(isValidEmail('bot@maildrop.cc')).toBe(false); }); it('rejects blocked domains regardless of case', () => { diff --git a/src/utils/security.ts b/src/utils/security.ts index ec68c79..b644d2a 100644 --- a/src/utils/security.ts +++ b/src/utils/security.ts @@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string { .replace(//g, ">") .replace(/"/g, """) - .replace(/'/g, "'"); + .replace(/'/g, "'") + .replace(/`/g, "`"); } // Common disposable email providers and invalid domains @@ -25,8 +26,13 @@ const BLOCKED_DOMAINS = new Set([ "yopmail.com", "temp-mail.org", "guerrillamail.com", + "guerrillamail.net", "10minutemail.com", "trashmail.com", + "sharklasers.com", + "dispostable.com", + "maildrop.cc", + "getairmail.com", ]); /** -- 2.49.1