diff --git a/src/utils/sanitize.ts b/src/utils/sanitize.ts
new file mode 100644
index 0000000..549ac10
--- /dev/null
+++ b/src/utils/sanitize.ts
@@ -0,0 +1,18 @@
+/**
+ * Sanitize HTML entities in user input.
+ */
+export function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+  // Bug: missing single quote escaping — XSS via onclick='...'
+}
+
+/**
+ * Strip all HTML tags from a string.
+ */
+export function stripTags(html: string): string {
+  return html.replace(/<[^>]*>/g, "");
+}