Fix timezone shift and script-tag escape in news tab

Unix-int timestamps from Finnhub were returned as naive UTC, then
.timestamp() reinterpreted them as local time — shifting relative ages
and date filtering. Now normalize to local-naive like the other branches.

Also escape </ in the JSON embedded in <script>, so headlines containing
</script> cannot break out of the inline script.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/components/news.py b/components/news.py
index 90f0ddb..2a22b25 100644
--- a/components/news.py
+++ b/components/news.py
@@ -1,6 +1,7 @@
 """News tab rendered as a client-side HTML surface."""
 from datetime import date as _date
 from datetime import datetime as _dt
+from datetime import timezone as _tz
 from html import escape as _esc
 
 import streamlit.components.v1 as components
@@ -50,7 +51,7 @@ def _normalize_dt(raw):
         return _dt(raw.year, raw.month, raw.day)
     if isinstance(raw, (int, float)):
         try:
-            return _dt.utcfromtimestamp(float(raw))
+            return _dt.fromtimestamp(float(raw), tz=_tz.utc).astimezone().replace(tzinfo=None)
         except Exception:
             return None
 
@@ -163,7 +164,7 @@ def render_news(ticker: str):
     co_name = _esc(info.get("longName") or info.get("shortName") or ticker.upper())
     price_str = "${:,.2f}".format(cur_num) if cur_num is not None else "—"
 
-    rows_js = "const NEWS_ROWS=" + _json.dumps(rows) + ";"
+    rows_js = "const NEWS_ROWS=" + _json.dumps(rows).replace("</", "<\\/") + ";"
 
     n_rows = max(len(rows), 18)
     height = 1240 + n_rows * 28