lazy loading email templates

backend/services/email/core/emailUtils.js

@@ -90,9 +90,26 @@ function formatCurrency(amount, currency = "USD") {
   }).format(amount / 100);
 }
 
+/**
+ * Escape HTML special characters to prevent XSS attacks
+ * Converts characters that could be interpreted as HTML into safe entities
+ * @param {*} str - Value to escape (will be converted to string)
+ * @returns {string} HTML-escaped string safe for insertion into HTML
+ */
+function escapeHtml(str) {
+  if (str === null || str === undefined) return "";
+  return String(str)
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+}
+
 module.exports = {
   htmlToPlainText,
   formatEmailDate,
   formatShortDate,
   formatCurrency,
+  escapeHtml,
 };