From eaa6b33b8e831aac109ac0229cdd1fa5afa22d02 Mon Sep 17 00:00:00 2001
From: graham-dds <graham.beckley-ctr@friends.dds.mil>
Date: Tue, 7 Jan 2020 15:25:55 -0500
Subject: [PATCH 1/2] Add js lib function for escaping HTML

---
 js/lib/__tests__/escape.test.js | 21 +++++++++++++++++++++
 js/lib/escape.js                | 20 ++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 js/lib/__tests__/escape.test.js
 create mode 100644 js/lib/escape.js

diff --git a/js/lib/__tests__/escape.test.js b/js/lib/__tests__/escape.test.js
new file mode 100644
index 00000000..9dc2d5fe
--- /dev/null
+++ b/js/lib/__tests__/escape.test.js
@@ -0,0 +1,21 @@
+import escape from '../escape'
+describe('escape', () => {
+  const htmlEscapes = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#x27;',
+    '/': '&#x2F;',
+  }
+  it('should escape each character', () => {
+    for (let [char, escapedChar] of Object.entries(htmlEscapes)) {
+      expect(escape(char)).toBe(escapedChar)
+    }
+  })
+  it('should escape multiple characters', () => {
+    expect(escape('& and < and > and " and \' and /')).toBe(
+      '&amp; and &lt; and &gt; and &quot; and &#x27; and &#x2F;'
+    )
+  })
+})
diff --git a/js/lib/escape.js b/js/lib/escape.js
new file mode 100644
index 00000000..b72103c4
--- /dev/null
+++ b/js/lib/escape.js
@@ -0,0 +1,20 @@
+// https://stackoverflow.com/a/6020820
+
+// List of HTML entities for escaping.
+const htmlEscapes = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#x27;',
+  '/': '&#x2F;',
+}
+
+const htmlEscaper = /[&<>"'\/]/g
+
+// Escape a string for HTML interpolation.
+const escape = string => {
+  return ('' + string).replace(htmlEscaper, match => htmlEscapes[match])
+}
+
+export default escape

From c02bb8518ee9f53eae7b48a7742ece0e3e960238 Mon Sep 17 00:00:00 2001
From: graham-dds <graham.beckley-ctr@friends.dds.mil>
Date: Tue, 7 Jan 2020 15:34:31 -0500
Subject: [PATCH 2/2] Escape html chanacters, if any, in CLIN number

---
 js/components/clin_fields.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/js/components/clin_fields.js b/js/components/clin_fields.js
index 327bedf0..59d6c8c9 100644
--- a/js/components/clin_fields.js
+++ b/js/components/clin_fields.js
@@ -1,4 +1,5 @@
 import { emitFieldChange } from '../lib/emitters'
+import escape from '../lib/escape'
 import optionsinput from './options_input'
 import textinput from './text_input'
 import clindollaramount from './clin_dollar_amount'
@@ -99,7 +100,7 @@ export default {
   computed: {
     clinTitle: function() {
       if (!!this.clinNumber) {
-        return `CLIN ${this.clinNumber}`
+        return escape(`CLIN ${this.clinNumber}`)
       } else {
         return `CLIN`
       }