From 3bfb8de17afce366a8f55fa69b6f709a9a9e3693 Mon Sep 17 00:00:00 2001
From: Beverly Nguyen <Beverly.Nguyen@gsa.gov>
Date: Wed, 5 Nov 2025 15:27:05 -0800
Subject: [PATCH] adding escaping

---
 app/main/views/organizations.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/main/views/organizations.py b/app/main/views/organizations.py
index 4e493a55d..4feb387d3 100644
--- a/app/main/views/organizations.py
+++ b/app/main/views/organizations.py
@@ -14,6 +14,7 @@ from flask import (
     url_for,
 )
 from flask_login import current_user
+from markupsafe import escape
 
 from app import current_organization, org_invite_api_client, organizations_client
 from app.enums import OrganizationType
@@ -171,12 +172,12 @@ def _handle_edit_service(org_id, service_id):
     return {
         "id": service.id,
         "name": (
-            request.form.get("service_name", "").strip()
+            escape(request.form.get("service_name", "").strip())
             if request.method == "POST"
             else service.name
         ),
         "primary_contact": (
-            request.form.get("primary_contact", "").strip()
+            escape(request.form.get("primary_contact", "").strip())
             if request.method == "POST"
             else (service.billing_contact_email_addresses or "")
         ),