update function in practice_editor_utilities containing logic pertain…

…ing to file uploads for resource attachments on the implementation page adds lodash function `escape` to ensure safe encoding of chars rendered to html as filename to prevent xss vulnerability
department-of-veterans-affairs · Nov 22, 2024 · 863c97d · 863c97d
1 parent a4f3f66
commit 863c97d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/app/assets/javascripts/practice_editor_utilities.es6 b/app/assets/javascripts/practice_editor_utilities.es6
@@ -256,7 +256,8 @@ function attachAddResourceListener(formSelector, container, sArea, sType) {
         // hide file upload so user can't upload a new file once added it is added to save queue
         if (sType === 'file') {
             let $uploadInputLabel = $(`#${container}`).find('.dm-file-upload-label')
-            $(`<div>File: ${fileName}</div>`).insertAfter($uploadInputLabel)
+            let escapedFileName = _.escape(fileName);
+            $(`<div>File: ${escapedFileName}</div>`).insertAfter($uploadInputLabel)
             $uploadInputLabel.remove();
             $(`#${container}`).find('.usa-file-input').addClass('display-none');
         }