From 0d888203cbc4dc596d0c05cedfeabe8785b263fc Mon Sep 17 00:00:00 2001
From: Tyler <tyler@tylerhoang.xyz>
Date: Sat, 16 May 2026 00:02:32 -0700
Subject: Fix valuation and data robustness bugs

---
 components/news.py      | 11 +++++--
 components/valuation.py | 85 ++++++++++++++++++++++++-------------------------
 2 files changed, 50 insertions(+), 46 deletions(-)

(limited to 'components')

diff --git a/components/news.py b/components/news.py
index 522826c..cb43ea8 100644
--- a/components/news.py
+++ b/components/news.py
@@ -3,6 +3,7 @@ import streamlit as st
 from datetime import datetime
 from services.news_service import get_company_news, get_news_sentiment
 from services.fmp_service import get_company_news as get_fmp_news
+from utils.security import escape_html, validate_outbound_url
 
 
 def _sentiment_badge(sentiment: str) -> str:
@@ -69,9 +70,10 @@ def render_news(ticker: str):
     for article in articles:
         headline = article.get("headline") or article.get("title", "No title")
         source = article.get("source") or article.get("site", "")
-        url = article.get("url") or article.get("newsURL") or article.get("url", "")
+        url = validate_outbound_url(article.get("url") or article.get("newsURL"))
         timestamp = article.get("datetime") or article.get("publishedDate", "")
         summary = article.get("summary") or article.get("text") or ""
+        headline_html = escape_html(headline)
 
         sentiment = _classify_sentiment(article)
         badge = _sentiment_badge(sentiment)
@@ -81,9 +83,12 @@ def render_news(ticker: str):
             col1, col2 = st.columns([5, 1])
             with col1:
                 if url:
-                    st.markdown(f"**[{headline}]({url})**")
+                    st.markdown(
+                        f'<strong><a href="{escape_html(url)}" target="_blank" rel="noopener noreferrer">{headline_html}</a></strong>',
+                        unsafe_allow_html=True,
+                    )
                 else:
-                    st.markdown(f"**{headline}**")
+                    st.markdown(f"<strong>{headline_html}</strong>", unsafe_allow_html=True)
                 meta = " · ".join(filter(None, [source, time_str]))
                 if meta:
                     st.caption(meta)
diff --git a/components/valuation.py b/components/valuation.py
index db352b3..9525c69 100644
--- a/components/valuation.py
+++ b/components/valuation.py
@@ -1,5 +1,4 @@
 """Valuation panel — key ratios, models, comparable companies, analyst targets, earnings history."""
-import json
 import numpy as np
 import pandas as pd
 import plotly.graph_objects as go
@@ -38,6 +37,7 @@ from services.valuation_service import (
     compute_raw_historical_growth_rate,
 )
 from utils.formatters import fmt_ratio, fmt_pct, fmt_large, fmt_currency
+from utils.security import escape_html, json_for_script
 
 
 FINANCIAL_SECTORS = {"Financial Services"}
@@ -116,6 +116,10 @@ def _escape_markdown_currency(value: str) -> str:
     return value.replace("$", r"\$")
 
 
+def _h(value) -> str:
+    return escape_html(value)
+
+
 def render_valuation(ticker: str):
     tabs = st.tabs([
         "Key Ratios",
@@ -503,10 +507,10 @@ def _render_ratios(ticker: str):
 
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
-    co_name = (info.get("longName", ticker) if info else ticker) or ticker
-    sector = (info.get("sector", "—") if info else "—") or "—"
-    industry = (info.get("industry", "—") if info else "—") or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
+    co_name = _h((info.get("longName", ticker) if info else ticker) or ticker)
+    sector = _h((info.get("sector", "—") if info else "—") or "—")
+    industry = _h((info.get("industry", "—") if info else "—") or "—")
     n_peers = len(peers)
     from datetime import date as _date
     today_str = _date.today().strftime("%b %d, %Y")
@@ -1245,7 +1249,7 @@ def _build_dcf_canvas_html(
     bar_line_colors = ["#1F3B5E"] * len(discounted) + ["#DCC79E"]
     bar_text = [_fmt_b(v) for v in discounted] + [_fmt_b(tv_pv)]
 
-    plotly_data_json = json.dumps([{
+    plotly_data_json = json_for_script([{
         "type": "bar",
         "x": bar_x,
         "y": bar_y,
@@ -1256,7 +1260,7 @@ def _build_dcf_canvas_html(
         "hovertemplate": "%{x}: %{text}<extra></extra>",
         "cliponaxis": False,
     }])
-    plotly_layout_json = json.dumps({
+    plotly_layout_json = json_for_script({
         "paper_bgcolor": "#11151C",
         "plot_bgcolor": "#11151C",
         "margin": {"l": 48, "r": 8, "t": 28, "b": 36},
@@ -1280,7 +1284,7 @@ def _build_dcf_canvas_html(
         "uniformtext": {"mode": "hide", "minsize": 8},
     })
 
-    data_json = json.dumps({
+    data_json = json_for_script({
         "baseFcf": result["base_fcf"],
         "netDebt": result["net_debt"],
         "otherClaims": ctx["preferred_equity"] + ctx["minority_interest"],
@@ -1758,11 +1762,11 @@ def _build_multiples_canvas_html(ctx: dict) -> str:
             pr = get_ratios_for_tickers(peers[:6])
             if pr:
                 import statistics as _stats
-                eb_vs = [float(r["enterpriseValueMultipleTTM"]) for r in pr.values()
+                eb_vs = [float(r["enterpriseValueMultipleTTM"]) for r in pr
                          if r and r.get("enterpriseValueMultipleTTM") and 2 < r["enterpriseValueMultipleTTM"] < 100]
-                rv_vs = [float(r["priceToSalesRatioTTM"]) for r in pr.values()
-                         if r and r.get("priceToSalesRatioTTM") and 0.1 < r["priceToSalesRatioTTM"] < 50]
-                pb_vs = [float(r["priceToBookRatioTTM"]) for r in pr.values()
+                rv_vs = [float(r["evToSalesTTM"]) for r in pr
+                         if r and r.get("evToSalesTTM") and 0.1 < r["evToSalesTTM"] < 50]
+                pb_vs = [float(r["priceToBookRatioTTM"]) for r in pr
                          if r and r.get("priceToBookRatioTTM") and 0.5 < r["priceToBookRatioTTM"] < 200]
                 if eb_vs:
                     eb_sector = _stats.median(eb_vs)
@@ -1777,7 +1781,7 @@ def _build_multiples_canvas_html(ctx: dict) -> str:
     rv_sector = _clamp(rv_sector, 4.0, 20.0)
     pb_sector = _clamp(pb_sector, 4.0, 60.0)
 
-    dcf_iv = st.session_state.get("dcf_intrinsic")
+    dcf_iv = st.session_state.get(f"dcf_intrinsic_{ctx['ticker']}")
     dcf_wacc = st.session_state.get(f"dcf_wacc_{ctx['ticker']}", 10.0)
     dcf_tg = st.session_state.get(f"dcf_tg_{ctx['ticker']}", 2.5)
     dcf_yrs = st.session_state.get(f"dcf_yrs_{ctx['ticker']}", 5)
@@ -1891,9 +1895,9 @@ def _build_multiples_canvas_html(ctx: dict) -> str:
         dcf_meta_str = "Switch to DCF tab to compute"
 
     ticker = ctx["ticker"]
-    exchange = (ctx.get("info") or {}).get("exchange") or "—"
+    exchange = _h((ctx.get("info") or {}).get("exchange") or "—")
 
-    data_json = json.dumps({
+    data_json = json_for_script({
         "market": market, "shares": shares, "netDebt": net_debt,
         "totalDebt": total_debt, "cash": cash,
         "ebitda": ebitda, "revenue": revenue, "bookPs": book_ps,
@@ -2269,7 +2273,7 @@ def _render_dcf_model(ctx: dict):
         st.warning(result["error"])
         return
 
-    st.session_state["dcf_intrinsic"] = result["intrinsic_value_per_share"]
+    st.session_state[f"dcf_intrinsic_{ctx['ticker']}"] = result["intrinsic_value_per_share"]
     st.session_state[f"dcf_params_{ctx['ticker']}"] = {"wacc": wacc_pct, "tg": tg_pct, "yrs": yrs}
 
     # Cross-check: run other models at their current market multiples
@@ -2704,8 +2708,9 @@ def _render_models(ticker: str):
     st.caption(ctx["summary"])
     _render_model_availability(ctx)
 
-    if "models_view" not in st.session_state:
-        st.session_state["models_view"] = "dcf"
+    view_key = f"models_view_{ticker}"
+    if view_key not in st.session_state:
+        st.session_state[view_key] = "dcf"
 
     st.markdown(_DCF_RAIL_CSS, unsafe_allow_html=True)
 
@@ -2714,24 +2719,24 @@ def _render_models(ticker: str):
         if st.button(
             "Discounted Cash Flow",
             key=f"pick_dcf_{ticker}",
-            type="primary" if st.session_state["models_view"] == "dcf" else "secondary",
+            type="primary" if st.session_state[view_key] == "dcf" else "secondary",
             width="stretch",
         ):
-            st.session_state["models_view"] = "dcf"
+            st.session_state[view_key] = "dcf"
             st.rerun()
     with _pc2:
         if st.button(
             "Multiples",
             key=f"pick_mult_{ticker}",
-            type="primary" if st.session_state["models_view"] == "multiples" else "secondary",
+            type="primary" if st.session_state[view_key] == "multiples" else "secondary",
             width="stretch",
         ):
-            st.session_state["models_view"] = "multiples"
+            st.session_state[view_key] = "multiples"
             st.rerun()
 
     st.markdown("---")
 
-    view = st.session_state.get("models_view", "dcf")
+    view = st.session_state.get(view_key, "dcf")
     if view == "dcf":
         if ctx["dcf_available"]:
             _render_dcf_model(ctx)
@@ -2826,7 +2831,6 @@ _CC_CSS = """<style>
 
 
 def _render_comps(ticker: str):
-    import json as _json
 
     info = get_company_info(ticker)
     auto_peers = get_peers(ticker)
@@ -2978,7 +2982,7 @@ def _render_comps(ticker: str):
         })
 
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -2988,11 +2992,11 @@ def _render_comps(ticker: str):
     else:
         chg_str, chg_cls = "—", ""
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     n_peers = len(peers) - 1
-    data_json = _json.dumps({
+    data_json = json_for_script({
         "subject": sym,
         "peers": peers,
         "peerMedian": peer_median_row,
@@ -3257,7 +3261,6 @@ _AT_CSS = """<style>
 # ── Analyst Targets ──────────────────────────────────────────────────────────
 
 def _render_analyst_targets(ticker: str):
-    import json as _json
 
     targets = get_analyst_price_targets(ticker)
     recs = get_recommendations_summary(ticker)
@@ -3409,7 +3412,7 @@ def _render_analyst_targets(ticker: str):
 
     # Context strip
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -3420,7 +3423,7 @@ def _render_analyst_targets(ticker: str):
         chg_str, chg_cls = "—", ""
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     ctx_html = (
@@ -3580,7 +3583,6 @@ _EH_CSS = """<style>
 
 
 def _render_earnings_history(ticker: str):
-    import json as _json
 
     eh = get_earnings_history(ticker)
     next_date = get_next_earnings_date(ticker)
@@ -3812,7 +3814,7 @@ def _render_earnings_history(ticker: str):
 
     # Context strip
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -3823,7 +3825,7 @@ def _render_earnings_history(ticker: str):
         chg_str, chg_cls = "—", ""
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     ctx_html = (
@@ -3838,7 +3840,7 @@ def _render_earnings_history(ticker: str):
         '</div></div>'
     )
 
-    next_date_str = next_date if next_date else "Not scheduled"
+    next_date_str = _h(next_date if next_date else "Not scheduled")
     med_surp_str = (f"{med_surprise * 100:+.1f}%" if med_surprise is not None else "—")
 
     lede_html = (
@@ -4060,7 +4062,6 @@ _KH_CSS = """<style>
 
 
 def _render_historical_ratios(ticker: str):
-    import json as _json
     info = get_company_info(ticker)
     hist_rows = get_historical_ratios(ticker, limit=10)
     if not hist_rows:
@@ -4110,16 +4111,16 @@ def _render_historical_ratios(ticker: str):
     else:
         chg_str, chg_cls = "—", ""
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
     n_periods = len(periods)
     n_rows = len(series_data)
     n_groups = len({s["group"] for s in series_data})
     total_height = 48 + 24 + 180 + 24 + 420 + 24 + (68 + n_groups * 50 + n_rows * 42) + 24 + 60 + 60
-    data_json = _json.dumps({"periods": periods, "series": series_data})
+    data_json = json_for_script({"periods": periods, "series": series_data})
     ctx_html = (
         f'<div class="val-ctx">'
         f'<span class="sym">{sym}</span>'
@@ -4396,7 +4397,6 @@ table.fe-table td:first-child{text-align:left;color:var(--fg-1);font-weight:500}
 
 
 def _render_forward_estimates(ticker: str):
-    import json as _json
 
     with st.spinner("Loading forward estimates…"):
         estimates = get_analyst_estimates(ticker)
@@ -4562,7 +4562,7 @@ def _render_forward_estimates(ticker: str):
     # Context strip
     info = get_company_info(ticker)
     sym = ticker.upper()
-    name = (info.get("longName") or info.get("shortName") or sym) if info else sym
+    name = _h((info.get("longName") or info.get("shortName") or sym) if info else sym)
     price = get_latest_price(ticker)
     prev_close = (info.get("previousClose") if info else None)
     if price and prev_close and prev_close > 0:
@@ -4573,7 +4573,7 @@ def _render_forward_estimates(ticker: str):
         chg_str, chg_cls = "—", ""
     _XMAP = {"NYQ": "NYSE", "NMS": "NASDAQ", "NGM": "NASDAQ", "NCM": "NASDAQ", "ASE": "AMEX"}
     raw_x = (info.get("exchange", "") if info else "") or ""
-    exchange = _XMAP.get(raw_x, raw_x) or "—"
+    exchange = _h(_XMAP.get(raw_x, raw_x) or "—")
     price_str = f"${price:.2f}" if price else "—"
 
     ctx_html = (
@@ -4702,7 +4702,7 @@ def _render_forward_estimates(ticker: str):
     )
 
     js = (
-        "const D=" + _json.dumps(chart_data) + ";\n"
+        "const D=" + json_for_script(chart_data) + ";\n"
         "function showTab(tab,el){"
         "document.querySelectorAll('.tab-pill').forEach(function(b){"
         "b.className='tab-pill '+(b===el?'active':'inactive');"
@@ -4779,4 +4779,3 @@ def _render_forward_estimates(ticker: str):
 
     height = 1320 + len(annual_rows) * 50
     components.html(doc, height=height, scrolling=False)
-
-- 
cgit v1.3-2-g0d8e