diff --git a/src/__tests__/sanitize.test.ts b/src/__tests__/sanitize.test.ts
new file mode 100644
index 0000000..550ecd0
--- /dev/null
+++ b/src/__tests__/sanitize.test.ts
@@ -0,0 +1,24 @@
+import { describe, it, expect } from "vitest";
+import { sanitizeFilename } from "../utils/sanitize.js";
+
+describe("sanitizeFilename", () => {
+  it("passes normal filename through", () => {
+    expect(sanitizeFilename("report.pdf")).toBe("report.pdf");
+  });
+  it("replaces control characters", () => {
+    expect(sanitizeFilename("file\x00name.pdf")).toBe("file_name.pdf");
+  });
+  it("replaces quotes", () => {
+    expect(sanitizeFilename('file"name.pdf')).toBe("file_name.pdf");
+  });
+  it("returns default for empty string", () => {
+    expect(sanitizeFilename("")).toBe("document.pdf");
+  });
+  it("truncates to 200 characters", () => {
+    const long = "a".repeat(250) + ".pdf";
+    expect(sanitizeFilename(long).length).toBeLessThanOrEqual(200);
+  });
+  it("supports custom default name", () => {
+    expect(sanitizeFilename("", "invoice.pdf")).toBe("invoice.pdf");
+  });
+});
diff --git a/src/__tests__/templates.test.ts b/src/__tests__/templates.test.ts
new file mode 100644
index 0000000..52ca00b
--- /dev/null
+++ b/src/__tests__/templates.test.ts
@@ -0,0 +1,57 @@
+import { describe, it, expect } from "vitest";
+import { renderTemplate, templates } from "../services/templates.js";
+
+// Access esc via rendering — test that HTML entities are escaped in output
+describe("Template rendering", () => {
+  it("throws for unknown template", () => {
+    expect(() => renderTemplate("nonexistent", {})).toThrow("not found");
+  });
+
+  it("invoice renders with correct totals", () => {
+    const html = renderTemplate("invoice", {
+      invoiceNumber: "INV-001",
+      date: "2026-01-01",
+      from: { name: "Seller" },
+      to: { name: "Buyer" },
+      items: [{ description: "Widget", quantity: 2, unitPrice: 10, taxRate: 20 }],
+    });
+    expect(html).toContain("INV-001");
+    expect(html).toContain("€20.00"); // subtotal: 2*10
+    expect(html).toContain("€4.00"); // tax: 20*0.2
+    expect(html).toContain("€24.00"); // total
+  });
+
+  it("receipt renders with correct total", () => {
+    const html = renderTemplate("receipt", {
+      receiptNumber: "R-001",
+      date: "2026-01-01",
+      from: { name: "Shop" },
+      items: [{ description: "Item A", amount: 15 }, { description: "Item B", amount: 25 }],
+    });
+    expect(html).toContain("R-001");
+    expect(html).toContain("€40.00");
+  });
+
+  it("defaults currency to €", () => {
+    const html = renderTemplate("invoice", {
+      invoiceNumber: "X", date: "2026-01-01",
+      from: { name: "A" }, to: { name: "B" },
+      items: [{ description: "Test", quantity: 1, unitPrice: 5 }],
+    });
+    expect(html).toContain("€5.00");
+  });
+
+  it("escapes HTML entities including single quotes", () => {
+    const html = renderTemplate("invoice", {
+      invoiceNumber: '<script>alert("xss")</script>',
+      date: "2026-01-01",
+      from: { name: "O'Brien & Co" },
+      to: { name: "Bob" },
+      items: [{ description: "Test", quantity: 1, unitPrice: 1 }],
+    });
+    expect(html).not.toContain("<script>");
+    expect(html).toContain("&lt;script&gt;");
+    expect(html).toContain("&#39;");
+    expect(html).toContain("&amp;");
+  });
+});
diff --git a/src/routes/convert.ts b/src/routes/convert.ts
index 18752d6..6330b1c 100644
--- a/src/routes/convert.ts
+++ b/src/routes/convert.ts
@@ -31,10 +31,7 @@ function isPrivateIP(ip: string): boolean {
   return false;
 }
 
-function sanitizeFilename(name: string): string {
-  // Strip characters dangerous in Content-Disposition headers
-  return name.replace(/[\x00-\x1f"\\\r\n]/g, "").trim() || "document.pdf";
-}
+import { sanitizeFilename } from "../utils/sanitize.js";
 
 export const convertRouter = Router();
 
diff --git a/src/routes/templates.ts b/src/routes/templates.ts
index 5210f4f..5c29a2e 100644
--- a/src/routes/templates.ts
+++ b/src/routes/templates.ts
@@ -2,10 +2,7 @@ import { Router, Request, Response } from "express";
 import { renderPdf } from "../services/browser.js";
 import logger from "../services/logger.js";
 import { templates, renderTemplate } from "../services/templates.js";
-
-function sanitizeFilename(name: string): string {
-  return name.replace(/["\r\n\x00-\x1f]/g, "_").substring(0, 200);
-}
+import { sanitizeFilename } from "../utils/sanitize.js";
 
 export const templatesRouter = Router();
 
diff --git a/src/services/templates.ts b/src/services/templates.ts
index e973add..388f3dc 100644
--- a/src/services/templates.ts
+++ b/src/services/templates.ts
@@ -43,7 +43,8 @@ function esc(s: string): string {
     .replace(/&/g, "&amp;")
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;");
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
 }
 
 function renderInvoice(d: any): string {
diff --git a/src/utils/sanitize.ts b/src/utils/sanitize.ts
new file mode 100644
index 0000000..8ad506d
--- /dev/null
+++ b/src/utils/sanitize.ts
@@ -0,0 +1,4 @@
+export function sanitizeFilename(name: string, defaultName = "document.pdf"): string {
+  const sanitized = String(name || "").replace(/[\x00-\x1f"'\\\r\n]/g, "_").trim().substring(0, 200);
+  return sanitized || defaultName;
+}