From 10bbac5e11e795645ec02589b6b36b7ab2a23299 Mon Sep 17 00:00:00 2001
From: PhilipDeFraties <philip.defraties@gmail.com>
Date: Fri, 22 Nov 2024 15:12:15 -0700
Subject: [PATCH] update innovation show page js function setMoreLessHTML to
 properly escape potentially harmful chars to prevent xss vulnerability

---
 app/assets/javascripts/practice_page.es6 | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/app/assets/javascripts/practice_page.es6 b/app/assets/javascripts/practice_page.es6
index d928f3900..704c59873 100644
--- a/app/assets/javascripts/practice_page.es6
+++ b/app/assets/javascripts/practice_page.es6
@@ -56,14 +56,11 @@
         const moreText = 'See more';
         const lessText = 'See less';
         let t = $(element).text();
-        let firstHalf = `${t.slice(
-          0,
-          showChar
-        )}<span>${ellipsesText} </span><button type="button" class="dm-button--unstyled-primary more-link">${moreText}</button>`;
-        let secondHalf = `<span style="display:none;">${t.slice(
-          showChar,
-          t.length
-        )} <button type="button" class="dm-button--unstyled-primary less-link">${lessText}</button></span>`;
+        let firstHalf = `${_.escape(t.slice(0, showChar))}<span>${ellipsesText} </span>
+            <button type="button" class="dm-button--unstyled-primary more-link">${moreText}</button>`;
+        let secondHalf = `<span style="display:none;">${_.escape(t.slice(showChar, t.length))}
+            <button type="button" class="dm-button--unstyled-primary less-link">${lessText}</button></span>`;
+
         if (t.length < showChar) return;
 
         $(element).html(firstHalf + secondHalf);