From ad229b5a35c07c8afb8345a2f097ee297965dd0f Mon Sep 17 00:00:00 2001
From: Rohit Kandimalla <rohit.kandimalla@semanticbits.com>
Date: Wed, 1 Nov 2023 15:03:44 -0400
Subject: [PATCH] MAT-6307 escaping html chars from library resource during HR
 generation

---
 .../services/HumanReadableService.java        | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/src/main/java/gov/cms/madie/madiefhirservice/services/HumanReadableService.java b/src/main/java/gov/cms/madie/madiefhirservice/services/HumanReadableService.java
index 6416a0b6..cb39e93f 100644
--- a/src/main/java/gov/cms/madie/madiefhirservice/services/HumanReadableService.java
+++ b/src/main/java/gov/cms/madie/madiefhirservice/services/HumanReadableService.java
@@ -3,6 +3,7 @@
 import static org.springframework.web.util.HtmlUtils.htmlEscape;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
@@ -270,6 +271,8 @@ public String generateLibraryHumanReadable(Library library) {
     var versionConvertor_40_50 = new VersionConvertor_40_50(new BaseAdvisor_40_50());
     org.hl7.fhir.r5.model.Library r5Library =
         (org.hl7.fhir.r5.model.Library) versionConvertor_40_50.convertResource(library);
+    // escape html
+    escapeLibrary(r5Library);
     String template = getData("/templates/Library.liquid");
     try {
       LiquidEngine.LiquidDocument doc = liquidEngine.parse(template, "libray-hr");
@@ -281,6 +284,40 @@ public String generateLibraryHumanReadable(Library library) {
     }
   }
 
+  private void escapeLibrary(org.hl7.fhir.r5.model.Library r5Library) {
+    r5Library.setTitle(escapeStr(r5Library.getTitle()));
+    r5Library.setSubtitle(escapeStr(r5Library.getSubtitle()));
+    r5Library.setPublisher(escapeStr(r5Library.getPublisher()));
+    r5Library.setDescription(escapeStr(r5Library.getDescription()));
+    r5Library.setPurpose(escapeStr(r5Library.getPurpose()));
+    r5Library.setUsage(escapeStr(r5Library.getUsage()));
+    r5Library.setCopyright(escapeStr(r5Library.getCopyright()));
+
+    r5Library
+        .getRelatedArtifact()
+        .forEach(
+            relatedArtifact -> relatedArtifact.setDisplay(escapeStr(relatedArtifact.getDisplay())));
+    r5Library
+        .getDataRequirement()
+        .forEach(
+            dataRequirement ->
+                dataRequirement
+                    .getCodeFilter()
+                    .forEach(
+                        cf ->
+                            cf.getCode()
+                                .forEach(
+                                    coding -> coding.setDisplay(escapeStr(coding.getDisplay())))));
+
+    r5Library.setContent(
+        r5Library.getContent().stream()
+            .filter(content -> content.getContentType().equalsIgnoreCase("text/cql"))
+            .map(
+                content ->
+                    content.setData(escapeStr(Arrays.toString(content.getData())).getBytes()))
+            .collect(Collectors.toList()));
+  }
+
   private Extension createEffectiveDataRequirementExtension() {
     var extension = new Extension();
     extension.setUrl(CqfMeasures.EFFECTIVE_DATA_REQUIREMENT_URL);