From 729d19e0751dfdb6bb8a4209a2b0130d0e950a63 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 5 Feb 2026 01:57:50 +0000
Subject: [PATCH] feat(security): escape backticks in sanitizeInput

- Update `sanitizeInput` in `src/utils/security.ts` to escape backticks (`) to `&#96;`.
- Add test case in `src/utils/security.test.ts` to verify backtick escaping.
- This mitigates potential XSS risks in contexts where template literals might be used.

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
---
 src/utils/security.test.ts | 4 ++++
 src/utils/security.ts      | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/utils/security.test.ts b/src/utils/security.test.ts
index 428c373..efe5af8 100644
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -13,6 +13,10 @@ describe('Security Utils', () => {
       expect(sanitizeInput('>')).toBe('&gt;');
     });
 
+    it('escapes backticks', () => {
+      expect(sanitizeInput('`exec`')).toBe('&#96;exec&#96;');
+    });
+
     it('returns non-string input as is', () => {
       // @ts-ignore
       expect(sanitizeInput(123)).toBe(123);
diff --git a/src/utils/security.ts b/src/utils/security.ts
index ec68c79..475e12b 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }
 
 // Common disposable email providers and invalid domains
-- 
2.49.1