diff --git a/src/utils/security.test.ts b/src/utils/security.test.ts
index 428c373..30eaeeb 100644
--- a/src/utils/security.test.ts
+++ b/src/utils/security.test.ts
@@ -10,6 +10,7 @@ describe('Security Utils', () => {
       expect(sanitizeInput('foo & bar')).toBe('foo &amp; bar');
       expect(sanitizeInput('"quotes"')).toBe('&quot;quotes&quot;');
       expect(sanitizeInput("'single quotes'")).toBe('&#039;single quotes&#039;');
+      expect(sanitizeInput('`backticks`')).toBe('&#96;backticks&#96;');
       expect(sanitizeInput('>')).toBe('&gt;');
     });
 
@@ -25,6 +26,12 @@ describe('Security Utils', () => {
       const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;';
       expect(sanitizeInput(input)).toBe(expected);
     });
+
+    it('handles mixed content with backticks', () => {
+      const input = '`alert(1)`';
+      const expected = '&#96;alert(1)&#96;';
+      expect(sanitizeInput(input)).toBe(expected);
+    });
   });
 
   describe('isValidEmail', () => {
diff --git a/src/utils/security.ts b/src/utils/security.ts
index ec68c79..475e12b 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;");
+    .replace(/'/g, "&#039;")
+    .replace(/`/g, "&#96;");
 }
 
 // Common disposable email providers and invalid domains