sanitize the case urn

Author: duncancrawford

build.gradle

@@ -226,7 +226,7 @@ dependencies {
 
   implementation group: 'io.rest-assured', name: 'rest-assured', version: '5.5.5'
   implementation 'org.hibernate.validator:hibernate-validator:9.0.0.Final'
-  implementation 'org.apache.commons:commons-lang3:3.17.0'
+  implementation 'org.apache.commons:commons-text:1.13.1'
 
   compileOnly group: 'org.projectlombok', name: 'lombok', version: lombokVersion
   annotationProcessor group: 'org.projectlombok', name: 'lombok', version: lombokVersion

src/main/java/uk/gov/hmcts/cp/controllers/CourtScheduleController.java

@@ -1,5 +1,6 @@
 package uk.gov.hmcts.cp.controllers;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
@@ -21,15 +22,21 @@ public CourtScheduleController(CourtScheduleService courtScheduleService) {
 
     @Override
     public ResponseEntity<CourtScheduleResponse> getCourtScheduleByCaseUrn(String caseUrn) {
+        String sanitizedCaseUrn;
         CourtScheduleResponse courtScheduleResponse;
         try {
-            courtScheduleResponse = courtScheduleService.getCourtScheduleResponse(caseUrn);
+            sanitizedCaseUrn = sanitizeCaseUrn(caseUrn);
+            courtScheduleResponse = courtScheduleService.getCourtScheduleResponse(sanitizedCaseUrn);
         } catch (ResponseStatusException e) {
             log.error(e.getMessage());
             return ResponseEntity.status(e.getStatusCode()).build();
         }
-        log.debug("getCourtScheduleByCaseUrn: {}", caseUrn);
+        log.debug("Found court schedule for caseUrn: {}", sanitizedCaseUrn);
         return new ResponseEntity<>(courtScheduleResponse, HttpStatus.OK);
     }
 
+    private String sanitizeCaseUrn(String urn) {
+        if (urn == null) throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "caseUrn is required");;
+        return StringEscapeUtils.escapeHtml4(urn);
+    }
 }