1 files changed, 11 insertions, 8 deletions

diff --git a/app.py b/app.py
index ff5ba35..bff6209 100644
--- a/app.py
+++ b/app.py
@@ -408,6 +408,7 @@ hr {
 
 import plotly.graph_objects as go
 import plotly.io as pio
+from utils.security import escape_html, validate_outbound_url
 
 # ── Plotly theme ──────────────────────────────────────────────────────────────
 _prism_layout = go.Layout(
@@ -543,6 +544,8 @@ with st.sidebar:
             co_name = info.get("longName", ticker)
             price = get_latest_price(ticker)
             prev_close = info.get("previousClose") or info.get("regularMarketPreviousClose")
+            ticker_html = escape_html(ticker)
+            co_name_html = escape_html(co_name)
 
             # Ticker + name
             st.markdown(f"""
@@ -553,12 +556,12 @@ with st.sidebar:
                 font-size: 2rem; color: #F2ECDC;
                 line-height: 0.95; letter-spacing: -0.025em;
                 margin-bottom: 4px;
-              ">{ticker}</div>
+              ">{ticker_html}</div>
               <div style="
                 font-family: 'IBM Plex Sans', sans-serif;
                 font-size: 11px; color: #8E8676;
                 letter-spacing: 0.01em;
-              ">{co_name}</div>
+              ">{co_name_html}</div>
             </div>
             """, unsafe_allow_html=True)
 
@@ -608,10 +611,10 @@ with st.sidebar:
             emp_str = f"{employees:,}" if isinstance(employees, int) else "—"
 
             rows = [
-                ("Exchange", exchange),
-                ("Sector", sector),
-                ("Currency", currency),
-                ("Employees", emp_str),
+                ("Exchange", escape_html(exchange)),
+                ("Sector", escape_html(sector)),
+                ("Currency", escape_html(currency)),
+                ("Employees", escape_html(emp_str)),
             ]
             rows_html = "".join(f"""
               <div style="display:flex;justify-content:space-between;align-items:baseline;">
@@ -628,11 +631,11 @@ with st.sidebar:
             ">{rows_html}</div>
             """, unsafe_allow_html=True)
 
-            website = info.get("website", "")
+            website = validate_outbound_url(info.get("website", ""))
             if website:
                 st.markdown(f"""
                 <div style="padding:6px 0 0;">
-                  <a href="{website}" target="_blank" style="
+                  <a href="{escape_html(website)}" target="_blank" rel="noopener noreferrer" style="
                     font-family:'IBM Plex Sans',sans-serif;
                     font-size:11px;color:#C2AA7A;
                     text-decoration:none;