From 0d888203cbc4dc596d0c05cedfeabe8785b263fc Mon Sep 17 00:00:00 2001
From: Tyler <tyler@tylerhoang.xyz>
Date: Sat, 16 May 2026 00:02:32 -0700
Subject: Fix valuation and data robustness bugs

---
 app.py                   |  19 +++--
 components/news.py       |  11 ++-
 components/valuation.py  |  85 +++++++++----------
 services/data_service.py | 217 ++++++++++++++++++++++++++++++++++++-----------
 utils/security.py        |  33 +++++++
 5 files changed, 261 insertions(+), 104 deletions(-)
 create mode 100644 utils/security.py

diff --git a/app.py b/app.py
index ff5ba35..bff6209 100644
--- a/app.py
+++ b/app.py
@@ -408,6 +408,7 @@ hr {
 
 import plotly.graph_objects as go
 import plotly.io as pio
+from utils.security import escape_html, validate_outbound_url
 
 # ── Plotly theme ──────────────────────────────────────────────────────────────
 _prism_layout = go.Layout(
@@ -543,6 +544,8 @@ with st.sidebar:
             co_name = info.get("longName", ticker)
             price = get_latest_price(ticker)
             prev_close = info.get("previousClose") or info.get("regularMarketPreviousClose")
+            ticker_html = escape_html(ticker)
+            co_name_html = escape_html(co_name)
 
             # Ticker + name
             st.markdown(f"""
@@ -553,12 +556,12 @@ with st.sidebar:
                 font-size: 2rem; color: #F2ECDC;
                 line-height: 0.95; letter-spacing: -0.025em;
                 margin-bottom: 4px;
-              ">{ticker}</div>
+              ">{ticker_html}</div>
               <div style="
                 font-family: 'IBM Plex Sans', sans-serif;
                 font-size: 11px; color: #8E8676;
                 letter-spacing: 0.01em;
-              ">{co_name}</div>
+              ">{co_name_html}</div>
             </div>
             """, unsafe_allow_html=True)
 
@@ -608,10 +611,10 @@ with st.sidebar:
             emp_str = f"{employees:,}" if isinstance(employees, int) else "—"
 
             rows = [
-                ("Exchange", exchange),
-                ("Sector", sector),
-                ("Currency", currency),
-                ("Employees", emp_str),
+                ("Exchange", escape_html(exchange)),
+                ("Sector", escape_html(sector)),
+                ("Currency", escape_html(currency)),
+                ("Employees", escape_html(emp_str)),
             ]
             rows_html = "".join(f"""
               <div style="display:flex;justify-content:space-between;align-items:baseline;">
@@ -628,11 +631,11 @@ with st.sidebar:
             ">{rows_html}</div>
             """, unsafe_allow_html=True)
 
-            website = info.get("website", "")
+            website = validate_outbound_url(info.get("website", ""))
             if website:
                 st.markdown(f"""
                 <div style="padding:6px 0 0;">
-                  <a href="{website}" target="_blank" style="
+                  <a href="{escape_html(website)}" target="_blank" rel="noopener noreferrer" style="
                     font-family:'IBM Plex Sans',sans-serif;
                     font-size:11px;color:#C2AA7A;
                     text-decoration:none;
diff --git a/components/news.py b/components/news.py
index 522826c..cb43ea8 100644
--- a/components/news.py
+++ b/components/news.py
@@ -3,6 +3,7 @@ import streamlit as st
 from datetime import datetime
 from services.news_service import get_company_news, get_news_sentiment
 from services.fmp_service import get_company_news as get_fmp_news
+from utils.security import escape_html, validate_outbound_url
 
 
 def _sentiment_badge(sentiment: str) -> str:
@@ -69,9 +70,10 @@ def render_news(ticker: str):
     for article in articles:
         headline = article.get("headline") or article.get("title", "No title")
         source = article.get("source") or article.get("site", "")
-        url = article.get("url") or article.get("newsURL") or article.get("url", "")
+        url = validate_outbound_url(article.get("url") or article.get("newsURL"))
         timestamp = article.get("datetime") or article.get("publishedDate", "")
         summary = article.get("summary") or article.get("text") or ""
+        headline_html = escape_html(headline)
 
         sentiment = _classify_sentiment(article)
         badge = _sentiment_badge(sentiment)
@@ -81,9 +83,12 @@ def render_news(ticker: str):
             col1, col2 = st.columns([5, 1])
             with col1:
                 if url:
-                    st.markdown(f"**[{headline}]({url})**")
+                    st.markdown(
+                        f'<strong><a href="{escape_html(url)}" target="_blank" rel="noopener noreferrer">{headline_html}</a></strong>',
+                        unsafe_allow_html=True,
+                    )
                 else:
-                    st.markdown(f"**{headline}**")
+                    st.markdown(f"<strong>{headline_html}</strong>", unsafe_allow_html=True)
                 meta = " · ".join(filter(None, [source, time_str]))
                 if meta:
                     st.caption(meta)
diff --git a/components/valuation.py b/components/valuation.py
index db352b3..9525c69 100644
--- a/components/valuation.py
+++ b/components/valuation.py
@@ -1,5 +1,4 @@
 """Valuation panel — key ratios, models, comparable companies, analyst targets, earnings history."""
-import json
 import numpy as np
 import pandas as pd
 import plotly.graph_objects as go
@@ -38,6 +37,7 @@ from services.valuation_service import (
     compute_raw_historical_growth_rate,
 )
 from utils.formatters import fmt_ratio, fmt_pct, fmt_large, fmt_currency
+from utils.security import escape_html, json_for_script
 
 
 FINANCIAL_SECTORS = {"Financial Services"}
@@ -116,6 +116,10 @@ def _escape_markdown_currency(value: str) -> str:
     return value.replace("$", r"\$")
 
 
+def _h(value) -> str:
+    return escape_html(value)
+
+
 def render_valuation(ticker: str):
     tabs = st.tabs([
         "Key Ratios",
@@ -503,10 +507,10 @@ def _render_ratios(ticker: str):
 
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
-    co_name = (info.get("longName", ticker) if info else ticker) or ticker
-    sector = (info.get("sector", "—") if info else "—") or "—"
-    industry = (info.get("industry", "—") if info else "—") or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
+    co_name = _h((info.get("longName", ticker) if info else ticker) or ticker)
+    sector = _h((info.get("sector", "—") if info else "—") or "—")
+    industry = _h((info.get("industry", "—") if info else "—") or "—")
     n_peers = len(peers)
     from datetime import date as _date
     today_str = _date.today().strftime("%b %d, %Y")
@@ -1245,7 +1249,7 @@ def _build_dcf_canvas_html(
     bar_line_colors = ["#1F3B5E"] * len(discounted) + ["#DCC79E"]
     bar_text = [_fmt_b(v) for v in discounted] + [_fmt_b(tv_pv)]
 
-    plotly_data_json = json.dumps([{
+    plotly_data_json = json_for_script([{
         "type": "bar",
         "x": bar_x,
         "y": bar_y,
@@ -1256,7 +1260,7 @@ def _build_dcf_canvas_html(
         "hovertemplate": "%{x}: %{text}<extra></extra>",
         "cliponaxis": False,
     }])
-    plotly_layout_json = json.dumps({
+    plotly_layout_json = json_for_script({
         "paper_bgcolor": "#11151C",
         "plot_bgcolor": "#11151C",
         "margin": {"l": 48, "r": 8, "t": 28, "b": 36},
@@ -1280,7 +1284,7 @@ def _build_dcf_canvas_html(
         "uniformtext": {"mode": "hide", "minsize": 8},
     })
 
-    data_json = json.dumps({
+    data_json = json_for_script({
         "baseFcf": result["base_fcf"],
         "netDebt": result["net_debt"],
         "otherClaims": ctx["preferred_equity"] + ctx["minority_interest"],
@@ -1758,11 +1762,11 @@ def _build_multiples_canvas_html(ctx: dict) -> str:
             pr = get_ratios_for_tickers(peers[:6])
             if pr:
                 import statistics as _stats
-                eb_vs = [float(r["enterpriseValueMultipleTTM"]) for r in pr.values()
+                eb_vs = [float(r["enterpriseValueMultipleTTM"]) for r in pr
                          if r and r.get("enterpriseValueMultipleTTM") and 2 < r["enterpriseValueMultipleTTM"] < 100]
-                rv_vs = [float(r["priceToSalesRatioTTM"]) for r in pr.values()
-                         if r and r.get("priceToSalesRatioTTM") and 0.1 < r["priceToSalesRatioTTM"] < 50]
-                pb_vs = [float(r["priceToBookRatioTTM"]) for r in pr.values()
+                rv_vs = [float(r["evToSalesTTM"]) for r in pr
+                         if r and r.get("evToSalesTTM") and 0.1 < r["evToSalesTTM"] < 50]
+                pb_vs = [float(r["priceToBookRatioTTM"]) for r in pr
                          if r and r.get("priceToBookRatioTTM") and 0.5 < r["priceToBookRatioTTM"] < 200]
                 if eb_vs:
                     eb_sector = _stats.median(eb_vs)
@@ -1777,7 +1781,7 @@ def _build_multiples_canvas_html(ctx: dict) -> str:
     rv_sector = _clamp(rv_sector, 4.0, 20.0)
     pb_sector = _clamp(pb_sector, 4.0, 60.0)
 
-    dcf_iv = st.session_state.get("dcf_intrinsic")
+    dcf_iv = st.session_state.get(f"dcf_intrinsic_{ctx['ticker']}")
     dcf_wacc = st.session_state.get(f"dcf_wacc_{ctx['ticker']}", 10.0)
     dcf_tg = st.session_state.get(f"dcf_tg_{ctx['ticker']}", 2.5)
     dcf_yrs = st.session_state.get(f"dcf_yrs_{ctx['ticker']}", 5)
@@ -1891,9 +1895,9 @@ def _build_multiples_canvas_html(ctx: dict) -> str:
         dcf_meta_str = "Switch to DCF tab to compute"
 
     ticker = ctx["ticker"]
-    exchange = (ctx.get("info") or {}).get("exchange") or "—"
+    exchange = _h((ctx.get("info") or {}).get("exchange") or "—")
 
-    data_json = json.dumps({
+    data_json = json_for_script({
         "market": market, "shares": shares, "netDebt": net_debt,
         "totalDebt": total_debt, "cash": cash,
         "ebitda": ebitda, "revenue": revenue, "bookPs": book_ps,
@@ -2269,7 +2273,7 @@ def _render_dcf_model(ctx: dict):
         st.warning(result["error"])
         return
 
-    st.session_state["dcf_intrinsic"] = result["intrinsic_value_per_share"]
+    st.session_state[f"dcf_intrinsic_{ctx['ticker']}"] = result["intrinsic_value_per_share"]
     st.session_state[f"dcf_params_{ctx['ticker']}"] = {"wacc": wacc_pct, "tg": tg_pct, "yrs": yrs}
 
     # Cross-check: run other models at their current market multiples
@@ -2704,8 +2708,9 @@ def _render_models(ticker: str):
     st.caption(ctx["summary"])
     _render_model_availability(ctx)
 
-    if "models_view" not in st.session_state:
-        st.session_state["models_view"] = "dcf"
+    view_key = f"models_view_{ticker}"
+    if view_key not in st.session_state:
+        st.session_state[view_key] = "dcf"
 
     st.markdown(_DCF_RAIL_CSS, unsafe_allow_html=True)
 
@@ -2714,24 +2719,24 @@ def _render_models(ticker: str):
         if st.button(
             "Discounted Cash Flow",
             key=f"pick_dcf_{ticker}",
-            type="primary" if st.session_state["models_view"] == "dcf" else "secondary",
+            type="primary" if st.session_state[view_key] == "dcf" else "secondary",
             width="stretch",
         ):
-            st.session_state["models_view"] = "dcf"
+            st.session_state[view_key] = "dcf"
             st.rerun()
     with _pc2:
         if st.button(
             "Multiples",
             key=f"pick_mult_{ticker}",
-            type="primary" if st.session_state["models_view"] == "multiples" else "secondary",
+            type="primary" if st.session_state[view_key] == "multiples" else "secondary",
             width="stretch",
         ):
-            st.session_state["models_view"] = "multiples"
+            st.session_state[view_key] = "multiples"
             st.rerun()
 
     st.markdown("---")
 
-    view = st.session_state.get("models_view", "dcf")
+    view = st.session_state.get(view_key, "dcf")
     if view == "dcf":
         if ctx["dcf_available"]:
             _render_dcf_model(ctx)
@@ -2826,7 +2831,6 @@ _CC_CSS = """<style>
 
 
 def _render_comps(ticker: str):
-    import json as _json
 
     info = get_company_info(ticker)
     auto_peers = get_peers(ticker)
@@ -2978,7 +2982,7 @@ def _render_comps(ticker: str):
         })
 
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -2988,11 +2992,11 @@ def _render_comps(ticker: str):
     else:
         chg_str, chg_cls = "—", ""
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     n_peers = len(peers) - 1
-    data_json = _json.dumps({
+    data_json = json_for_script({
         "subject": sym,
         "peers": peers,
         "peerMedian": peer_median_row,
@@ -3257,7 +3261,6 @@ _AT_CSS = """<style>
 # ── Analyst Targets ──────────────────────────────────────────────────────────
 
 def _render_analyst_targets(ticker: str):
-    import json as _json
 
     targets = get_analyst_price_targets(ticker)
     recs = get_recommendations_summary(ticker)
@@ -3409,7 +3412,7 @@ def _render_analyst_targets(ticker: str):
 
     # Context strip
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -3420,7 +3423,7 @@ def _render_analyst_targets(ticker: str):
         chg_str, chg_cls = "—", ""
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     ctx_html = (
@@ -3580,7 +3583,6 @@ _EH_CSS = """<style>
 
 
 def _render_earnings_history(ticker: str):
-    import json as _json
 
     eh = get_earnings_history(ticker)
     next_date = get_next_earnings_date(ticker)
@@ -3812,7 +3814,7 @@ def _render_earnings_history(ticker: str):
 
     # Context strip
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -3823,7 +3825,7 @@ def _render_earnings_history(ticker: str):
         chg_str, chg_cls = "—", ""
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     ctx_html = (
@@ -3838,7 +3840,7 @@ def _render_earnings_history(ticker: str):
         '</div></div>'
     )
 
-    next_date_str = next_date if next_date else "Not scheduled"
+    next_date_str = _h(next_date if next_date else "Not scheduled")
     med_surp_str = (f"{med_surprise * 100:+.1f}%" if med_surprise is not None else "—")
 
     lede_html = (
@@ -4060,7 +4062,6 @@ _KH_CSS = """<style>
 
 
 def _render_historical_ratios(ticker: str):
-    import json as _json
     info = get_company_info(ticker)
     hist_rows = get_historical_ratios(ticker, limit=10)
     if not hist_rows:
@@ -4110,16 +4111,16 @@ def _render_historical_ratios(ticker: str):
     else:
         chg_str, chg_cls = "—", ""
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
     n_periods = len(periods)
     n_rows = len(series_data)
     n_groups = len({s["group"] for s in series_data})
     total_height = 48 + 24 + 180 + 24 + 420 + 24 + (68 + n_groups * 50 + n_rows * 42) + 24 + 60 + 60
-    data_json = _json.dumps({"periods": periods, "series": series_data})
+    data_json = json_for_script({"periods": periods, "series": series_data})
     ctx_html = (
         f'<div class="val-ctx">'
         f'<span class="sym">{sym}</span>'
@@ -4396,7 +4397,6 @@ table.fe-table td:first-child{text-align:left;color:var(--fg-1);font-weight:500}
 
 
 def _render_forward_estimates(ticker: str):
-    import json as _json
 
     with st.spinner("Loading forward estimates…"):
         estimates = get_analyst_estimates(ticker)
@@ -4562,7 +4562,7 @@ def _render_forward_estimates(ticker: str):
     # Context strip
     info = get_company_info(ticker)
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -4573,7 +4573,7 @@ def _render_forward_estimates(ticker: str):
         chg_str, chg_cls = "—", ""
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     ctx_html = (
@@ -4702,7 +4702,7 @@ def _render_forward_estimates(ticker: str):
     )
 
     js = (
-        "const D=" + _json.dumps(chart_data) + ";\n"
+        "const D=" + json_for_script(chart_data) + ";\n"
         "function showTab(tab,el){"
         "document.querySelectorAll('.tab-pill').forEach(function(b){"
         "b.className='tab-pill '+(b===el?'active':'inactive');"
@@ -4779,4 +4779,3 @@ def _render_forward_estimates(ticker: str):
 
     height = 1320 + len(annual_rows) * 50
     components.html(doc, height=height, scrolling=False)
-
diff --git a/services/data_service.py b/services/data_service.py
index bfd1290..9c82e14 100644
--- a/services/data_service.py
+++ b/services/data_service.py
@@ -26,9 +26,12 @@ def search_tickers(query: str) -> list[dict]:
 @st.cache_data(ttl=300)
 def get_company_info(ticker: str) -> dict:
     """Return company info dict from yfinance."""
-    t = yf.Ticker(ticker.upper())
-    info = t.info or {}
-    return info
+    try:
+        t = yf.Ticker(ticker.upper())
+        info = t.info or {}
+        return info if isinstance(info, dict) else {}
+    except Exception:
+        return {}
 
 
 @st.cache_data(ttl=300)
@@ -57,7 +60,7 @@ def get_shares_outstanding(ticker: str) -> float | None:
     try:
         t = yf.Ticker(ticker.upper())
         info = t.info or {}
-        for key in ("sharesOutstanding", "impliedSharesOutstanding", "floatShares"):
+        for key in ("sharesOutstanding", "impliedSharesOutstanding"):
             val = info.get(key)
             if val is not None:
                 return float(val)
@@ -88,31 +91,45 @@ def get_market_cap_computed(ticker: str) -> float | None:
 @st.cache_data(ttl=300)
 def get_price_history(ticker: str, period: str = "1y") -> pd.DataFrame:
     """Return OHLCV price history."""
-    t = yf.Ticker(ticker.upper())
-    df = t.history(period=period)
-    df.index = pd.to_datetime(df.index)
-    return df
+    try:
+        t = yf.Ticker(ticker.upper())
+        df = t.history(period=period)
+        if df is None or df.empty:
+            return pd.DataFrame()
+        df.index = pd.to_datetime(df.index)
+        return df
+    except Exception:
+        return pd.DataFrame()
 
 
 @st.cache_data(ttl=3600)
 def get_income_statement(ticker: str, quarterly: bool = False) -> pd.DataFrame:
-    t = yf.Ticker(ticker.upper())
-    df = t.quarterly_income_stmt if quarterly else t.income_stmt
-    return df if df is not None else pd.DataFrame()
+    try:
+        t = yf.Ticker(ticker.upper())
+        df = t.quarterly_income_stmt if quarterly else t.income_stmt
+        return df if df is not None else pd.DataFrame()
+    except Exception:
+        return pd.DataFrame()
 
 
 @st.cache_data(ttl=3600)
 def get_balance_sheet(ticker: str, quarterly: bool = False) -> pd.DataFrame:
-    t = yf.Ticker(ticker.upper())
-    df = t.quarterly_balance_sheet if quarterly else t.balance_sheet
-    return df if df is not None else pd.DataFrame()
+    try:
+        t = yf.Ticker(ticker.upper())
+        df = t.quarterly_balance_sheet if quarterly else t.balance_sheet
+        return df if df is not None else pd.DataFrame()
+    except Exception:
+        return pd.DataFrame()
 
 
 @st.cache_data(ttl=3600)
 def get_cash_flow(ticker: str, quarterly: bool = False) -> pd.DataFrame:
-    t = yf.Ticker(ticker.upper())
-    df = t.quarterly_cashflow if quarterly else t.cashflow
-    return df if df is not None else pd.DataFrame()
+    try:
+        t = yf.Ticker(ticker.upper())
+        df = t.quarterly_cashflow if quarterly else t.cashflow
+        return df if df is not None else pd.DataFrame()
+    except Exception:
+        return pd.DataFrame()
 
 
 @st.cache_data(ttl=300)
@@ -188,12 +205,51 @@ def get_next_earnings_date(ticker: str) -> str | None:
     """Return the next expected earnings date as a string, or None.
     Uses t.calendar (no lxml dependency).
     """
+    def _collect_dates(value) -> list:
+        if value is None:
+            return []
+        if isinstance(value, dict):
+            for key in ("Earnings Date", "earningsDate", "earnings_date"):
+                if key in value:
+                    return _collect_dates(value.get(key))
+            out = []
+            for nested in value.values():
+                out.extend(_collect_dates(nested))
+            return out
+        if isinstance(value, pd.DataFrame):
+            out = []
+            for col in value.columns:
+                out.extend(_collect_dates(value[col]))
+            return out
+        if isinstance(value, pd.Series):
+            if "Earnings Date" in value.index:
+                return _collect_dates(value.get("Earnings Date"))
+            return _collect_dates(value.tolist())
+        if isinstance(value, pd.Index):
+            return _collect_dates(value.tolist())
+        if isinstance(value, (list, tuple, set)):
+            out = []
+            for item in value:
+                out.extend(_collect_dates(item))
+            return out
+        return [value]
+
     try:
         t = yf.Ticker(ticker.upper())
         cal = t.calendar
-        dates = cal.get("Earnings Date", [])
-        if dates:
-            return str(dates[0])
+        raw_dates = _collect_dates(cal)
+        parsed_dates = []
+        for value in raw_dates:
+            dt = pd.to_datetime(value, errors="coerce")
+            if pd.notna(dt):
+                ts = pd.Timestamp(dt)
+                parsed_dates.append(ts.tz_localize(None) if ts.tzinfo else ts)
+
+        if parsed_dates:
+            today = pd.Timestamp.today().normalize()
+            future_dates = sorted({dt.normalize() for dt in parsed_dates if dt.normalize() >= today})
+            chosen = future_dates[0] if future_dates else sorted({dt.normalize() for dt in parsed_dates})[0]
+            return chosen.strftime("%b %d, %Y")
         return None
     except Exception:
         return None
@@ -481,14 +537,67 @@ def get_historical_ratios_yfinance(ticker: str) -> list[dict]:
         t = yf.Ticker(ticker.upper())
         income = t.income_stmt       # rows=metrics, cols=fiscal-year dates
         balance = t.balance_sheet
-        info = t.info or {}
 
         if income is None or income.empty:
             return []
 
+        try:
+            shares_history = t.get_shares_full(start="2000-01-01")
+            if isinstance(shares_history, pd.Series):
+                shares_history = shares_history.dropna().sort_index()
+            else:
+                shares_history = pd.Series(dtype=float)
+        except Exception:
+            shares_history = pd.Series(dtype=float)
+
+        def _balance_shares(period_date) -> float | None:
+            if balance is None or balance.empty or period_date not in balance.columns:
+                return None
+            for label in (
+                "Ordinary Shares Number",
+                "Share Issued",
+                "Common Stock Shares Outstanding",
+            ):
+                if label in balance.index:
+                    value = balance.loc[label, period_date]
+                    if pd.notna(value):
+                        try:
+                            shares_value = float(value)
+                        except (TypeError, ValueError):
+                            continue
+                        if shares_value > 0:
+                            return shares_value
+            return None
+
+        def _historical_shares_for_date(period_date) -> float | None:
+            direct_balance_shares = _balance_shares(period_date)
+            if direct_balance_shares:
+                return direct_balance_shares
+            if shares_history.empty:
+                return None
+
+            target = pd.Timestamp(period_date)
+            index = shares_history.index
+            if getattr(index, "tz", None) is not None and target.tzinfo is None:
+                target = target.tz_localize(index.tz)
+            elif getattr(index, "tz", None) is None and target.tzinfo is not None:
+                target = target.tz_localize(None)
+
+            deltas = pd.Series(index - target, index=index).abs()
+            if deltas.empty:
+                return None
+            nearest_idx = deltas.idxmin()
+            if abs(pd.Timestamp(nearest_idx) - target) > pd.Timedelta(days=180):
+                return None
+
+            try:
+                shares_value = float(shares_history.loc[nearest_idx])
+            except (TypeError, ValueError):
+                return None
+            return shares_value if shares_value > 0 else None
+
         # One year of monthly price history per fiscal year going back 10 years
         hist = t.history(period="10y", interval="1mo")
-        shares = get_shares_outstanding(ticker)
 
         rows: list[dict] = []
         for date in income.columns:
@@ -549,8 +658,10 @@ def get_historical_ratios_yfinance(ticker: str) -> list[dict]:
                     if abs(roa) < 10:
                         row["returnOnAssets"] = roa
 
-            # Price-based ratios — average closing price in ±45-day window around year-end
-            if shares and not hist.empty:
+            period_shares = _historical_shares_for_date(date)
+
+            # Price-based ratios use period-appropriate shares when available.
+            if period_shares and not hist.empty:
                 try:
                     date_ts = pd.Timestamp(date)
                     # Normalize timezones: yfinance history index may be tz-aware
@@ -564,7 +675,7 @@ def get_historical_ratios_yfinance(ticker: str) -> list[dict]:
                     window = hist.loc[mask, "Close"]
                     if not window.empty:
                         price = float(window.mean())
-                        market_cap = price * shares
+                        market_cap = price * period_shares
 
                         if net_income and net_income > 0:
                             row["peRatio"] = market_cap / net_income
@@ -671,40 +782,46 @@ def get_balance_sheet_bridge_items(ticker: str) -> dict:
 @st.cache_data(ttl=3600)
 def get_free_cash_flow_series(ticker: str) -> pd.Series:
     """Return annual Free Cash Flow series (most recent first)."""
-    t = yf.Ticker(ticker.upper())
-    cf = t.cashflow
-    if cf is None or cf.empty:
-        return pd.Series(dtype=float)
-    if "Free Cash Flow" in cf.index:
-        return cf.loc["Free Cash Flow"].dropna()
-    # Compute from operating CF - capex
     try:
-        op = cf.loc["Operating Cash Flow"]
-        capex = cf.loc["Capital Expenditure"]
-        return (op + capex).dropna()
-    except KeyError:
+        t = yf.Ticker(ticker.upper())
+        cf = t.cashflow
+        if cf is None or cf.empty:
+            return pd.Series(dtype=float)
+        if "Free Cash Flow" in cf.index:
+            return cf.loc["Free Cash Flow"].dropna()
+        # Compute from operating CF - capex
+        try:
+            op = cf.loc["Operating Cash Flow"]
+            capex = cf.loc["Capital Expenditure"]
+            return (op + capex).dropna()
+        except KeyError:
+            return pd.Series(dtype=float)
+    except Exception:
         return pd.Series(dtype=float)
 
 
 @st.cache_data(ttl=3600)
 def get_free_cash_flow_ttm(ticker: str) -> float | None:
     """Return trailing-twelve-month free cash flow from quarterly cash flow statements."""
-    t = yf.Ticker(ticker.upper())
-    cf_q = t.quarterly_cashflow
-    if cf_q is None or cf_q.empty:
-        return None
+    try:
+        t = yf.Ticker(ticker.upper())
+        cf_q = t.quarterly_cashflow
+        if cf_q is None or cf_q.empty:
+            return None
 
-    if "Free Cash Flow" in cf_q.index:
-        vals = cf_q.loc["Free Cash Flow"].iloc[:4].dropna()
-        if len(vals) == 4:
-            return float(vals.sum())
+        if "Free Cash Flow" in cf_q.index:
+            vals = cf_q.loc["Free Cash Flow"].iloc[:4].dropna()
+            if len(vals) == 4:
+                return float(vals.sum())
 
-    try:
-        op = cf_q.loc["Operating Cash Flow"].iloc[:4].dropna()
-        capex = cf_q.loc["Capital Expenditure"].iloc[:4].dropna()
-        if len(op) == 4 and len(capex) == 4:
-            return float((op + capex).sum())
-    except KeyError:
+        try:
+            op = cf_q.loc["Operating Cash Flow"].iloc[:4].dropna()
+            capex = cf_q.loc["Capital Expenditure"].iloc[:4].dropna()
+            if len(op) == 4 and len(capex) == 4:
+                return float((op + capex).sum())
+        except KeyError:
+            return None
+    except Exception:
         return None
 
     return None
diff --git a/utils/security.py b/utils/security.py
new file mode 100644
index 0000000..962422b
--- /dev/null
+++ b/utils/security.py
@@ -0,0 +1,33 @@
+"""Minimal helpers for safely rendering external text and URLs."""
+from html import escape
+from urllib.parse import urlparse
+
+
+def escape_html(value) -> str:
+    """Escape a value for HTML text or attribute contexts."""
+    if value is None:
+        return ""
+    return escape(str(value), quote=True)
+
+
+def validate_outbound_url(url: str | None) -> str | None:
+    """Allow only absolute http/https outbound URLs."""
+    if not url:
+        return None
+
+    candidate = str(url).strip()
+    if not candidate:
+        return None
+
+    parsed = urlparse(candidate)
+    if parsed.scheme not in {"http", "https"} or not parsed.netloc:
+        return None
+
+    return parsed.geturl()
+
+
+def json_for_script(value) -> str:
+    """Serialize JSON for safe embedding inside inline script tags."""
+    import json
+
+    return json.dumps(value).replace("</", "<\\/")
-- 
cgit v1.3-2-g0d8e