diff --git a/src/utils/security.test.ts b/src/utils/security.test.ts
index 428c373..efe5af8 100644
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -13,6 +13,10 @@ describe('Security Utils', () => {
       expect(sanitizeInput('>')).toBe('>');
     });
 
+    it('escapes backticks', () => {
+      expect(sanitizeInput('`exec`')).toBe('`exec`');
+    });
+
     it('returns non-string input as is', () => {
       // @ts-ignore
       expect(sanitizeInput(123)).toBe(123);
diff --git a/src/utils/security.ts b/src/utils/security.ts
index ec68c79..475e12b 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }
 
 // Common disposable email providers and invalid domains