From a074560a90b69d15c7bd29208340f2ff535e4f1d Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 4 Feb 2026 01:52:28 +0000
Subject: [PATCH] feat(security): enhance input sanitization and expand blocked
 domains

- Add backtick escaping to `sanitizeInput` to prevent template literal injection
- Expand `BLOCKED_DOMAINS` with additional disposable email providers
- Add comprehensive tests for new security rules

Sentinel-Ref: 2026-02-14
Security-Priority: Low (Enhancement)

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
---
 src/utils/security.test.ts | 8 ++++++++
 src/utils/security.ts      | 9 ++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/utils/security.test.ts b/src/utils/security.test.ts
index 428c373..b0ee7a8 100644
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -10,6 +10,7 @@ describe('Security Utils', () => {
       expect(sanitizeInput('foo & bar')).toBe('foo &amp; bar');
       expect(sanitizeInput('"quotes"')).toBe('&quot;quotes&quot;');
       expect(sanitizeInput("'single quotes'")).toBe('&#039;single quotes&#039;');
+      expect(sanitizeInput('`backticks`')).toBe('&#96;backticks&#96;');
       expect(sanitizeInput('>')).toBe('&gt;');
     });
 
@@ -25,6 +26,10 @@ describe('Security Utils', () => {
       const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;';
       expect(sanitizeInput(input)).toBe(expected);
     });
+
+    it('escapes template literal injection vectors', () => {
+      expect(sanitizeInput('`${alert(1)}`')).toBe('&#96;${alert(1)}&#96;');
+    });
   });
 
   describe('isValidEmail', () => {
@@ -74,6 +79,9 @@ describe('Security Utils', () => {
       expect(isValidEmail('spam@mailinator.com')).toBe(false);
       expect(isValidEmail('bot@yopmail.com')).toBe(false);
       expect(isValidEmail('temp@temp-mail.org')).toBe(false);
+      expect(isValidEmail('spam@sharklasers.com')).toBe(false);
+      expect(isValidEmail('spam@guerrillamail.net')).toBe(false);
+      expect(isValidEmail('spam@dispostable.com')).toBe(false);
     });
 
     it('rejects blocked domains regardless of case', () => {
diff --git a/src/utils/security.ts b/src/utils/security.ts
index ec68c79..037bcbe 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }
 
 // Common disposable email providers and invalid domains
@@ -27,6 +28,12 @@ const BLOCKED_DOMAINS = new Set([
   "guerrillamail.com",
   "10minutemail.com",
   "trashmail.com",
+  "sharklasers.com",
+  "guerrillamail.net",
+  "guerrillamail.org",
+  "guerrillamail.biz",
+  "dispostable.com",
+  "fake-email.com",
 ]);
 
 /**
-- 
2.49.1