From 863c97dfbd0c55b03b05095072a230da0d690fde Mon Sep 17 00:00:00 2001
From: PhilipDeFraties <philip.defraties@gmail.com>
Date: Fri, 22 Nov 2024 11:26:52 -0700
Subject: [PATCH] update function in practice_editor_utilities containing logic
 pertaining to file uploads for resource attachments on the implementation
 page

adds lodash function `escape` to ensure safe encoding of chars rendered to html as filename to prevent xss vulnerability
---
 app/assets/javascripts/practice_editor_utilities.es6 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/practice_editor_utilities.es6 b/app/assets/javascripts/practice_editor_utilities.es6
index 0ca8ada23..a0620825c 100644
--- a/app/assets/javascripts/practice_editor_utilities.es6
+++ b/app/assets/javascripts/practice_editor_utilities.es6
@@ -256,7 +256,8 @@ function attachAddResourceListener(formSelector, container, sArea, sType) {
         // hide file upload so user can't upload a new file once added it is added to save queue
         if (sType === 'file') {
             let $uploadInputLabel = $(`#${container}`).find('.dm-file-upload-label')
-            $(`<div>File: ${fileName}</div>`).insertAfter($uploadInputLabel)
+            let escapedFileName = _.escape(fileName);
+            $(`<div>File: ${escapedFileName}</div>`).insertAfter($uploadInputLabel)
             $uploadInputLabel.remove();
             $(`#${container}`).find('.usa-file-input').addClass('display-none');
         }