src/utils/security.test.ts

@@ -10,6 +10,7 @@ describe('Security Utils', () => {
       expect(sanitizeInput('foo & bar')).toBe('foo & bar');
       expect(sanitizeInput('"quotes"')).toBe('"quotes"');
       expect(sanitizeInput("'single quotes'")).toBe(''single quotes'');
+      expect(sanitizeInput('`backticks`')).toBe('`backticks`');
       expect(sanitizeInput('>')).toBe('>');
     });
 
@@ -25,6 +26,10 @@ describe('Security Utils', () => {
       const expected = '<script>alert("XSS")</script>';
       expect(sanitizeInput(input)).toBe(expected);
     });
+
+    it('escapes template literal injection vectors', () => {
+      expect(sanitizeInput('`${alert(1)}`')).toBe('`${alert(1)}`');
+    });
   });
 
   describe('isValidEmail', () => {
@@ -74,6 +79,9 @@ describe('Security Utils', () => {
       expect(isValidEmail('spam@mailinator.com')).toBe(false);
       expect(isValidEmail('bot@yopmail.com')).toBe(false);
       expect(isValidEmail('temp@temp-mail.org')).toBe(false);
+      expect(isValidEmail('spam@sharklasers.com')).toBe(false);
+      expect(isValidEmail('spam@guerrillamail.net')).toBe(false);
+      expect(isValidEmail('spam@dispostable.com')).toBe(false);
     });
 
     it('rejects blocked domains regardless of case', () => {

src/utils/security.ts

@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }
 
 // Common disposable email providers and invalid domains
@@ -27,6 +28,12 @@ const BLOCKED_DOMAINS = new Set([
   "guerrillamail.com",
   "10minutemail.com",
   "trashmail.com",
+  "sharklasers.com",
+  "guerrillamail.net",
+  "guerrillamail.org",
+  "guerrillamail.biz",
+  "dispostable.com",
+  "fake-email.com",
 ]);
 
 /**