From c6f5f154b0baa3fc6c5d9285839d468d83c1dbda Mon Sep 17 00:00:00 2001
From: Manny Dinssa <44172848+Dinssa@users.noreply.github.com>
Date: Mon, 16 Sep 2024 15:59:38 +0100
Subject: [PATCH] Sanitise name and use html safe

---
 app/helpers/application_helper.rb | 7 +++++++
 app/helpers/title_helper.rb       | 7 ++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 01f7734c2..01614902e 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -31,6 +31,13 @@ module ApplicationHelper
     !current_page?(notifications_path) && (authenticated_user_has_notifications? || unauthenticated_user_has_notifications?)
   end
 
+  def sanitise_text(text)
+    return if text.blank?
+
+    text.gsub(/[^a-zA-Z0-9\s\-\_\'\&]/, "")
+    text.html_safe
+  end
+
 private
 
   def paginated_title(title, pagy)
diff --git a/app/helpers/title_helper.rb b/app/helpers/title_helper.rb
index 25dcbc30c..cc605cc28 100644
--- a/app/helpers/title_helper.rb
+++ b/app/helpers/title_helper.rb
@@ -4,11 +4,12 @@ module TitleHelper
   end
 
   def format_title(searched, page_title, current_user, item_label, count, organisation_name)
+    sanitised_organisation_name = sanitise_text(organisation_name)
     if searched.present?
-      actual_title = support_sab_nav?(current_user, organisation_name) ? organisation_name : page_title
-      "#{actual_title} (#{count} #{item_label} matching ‘#{searched}’)"
+      actual_title = support_sab_nav?(current_user, organisation_name) ? sanitised_organisation_name : page_title
+      "#{actual_title} (#{count} #{item_label} matching ‘#{searched}’)".html_safe
     else
-      support_sab_nav?(current_user, organisation_name) ? "#{organisation_name} (#{page_title})" : page_title
+      support_sab_nav?(current_user, organisation_name) ? "#{sanitised_organisation_name} (#{page_title})".html_safe : page_title.html_safe
     end
   end