From bab0e6a27fbf6f768f43cec7996fa5de39951dd8 Mon Sep 17 00:00:00 2001
From: Anastasia Gradova <anastasia.gradova@gsa.gov>
Date: Thu, 24 Oct 2024 15:14:40 -0600
Subject: [PATCH 1/2] Updated check-ueid.js to handle html elements safely to
 prevent xss

---
 backend/static/js/check-ueid.js | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/backend/static/js/check-ueid.js b/backend/static/js/check-ueid.js
index 1f6841e279..a5accd1f9b 100644
--- a/backend/static/js/check-ueid.js
+++ b/backend/static/js/check-ueid.js
@@ -43,15 +43,24 @@ function showValidUeiInfo() {
   const auditeeUei = document.getElementById('auditee_uei').value;
   const auditeeName = document.getElementById('auditee_name');
   const ueiInfoEl = document.createElement('div');
-
-  ueiInfoEl.innerHTML = `
-    <dl data-testid="uei-info">
-      <dt>Unique Entity ID</dt>
-      <dd>${auditeeUei}</dd>
-      <dt>Auditee name</dt>
-      <dd>${auditeeName.value}</dd>
-    </dl>
-  `;
+  const dl = document.createElement('dl');
+  const dtUei = document.createElement('dt');
+  const ddUei = document.createElement('dd');
+  const dtName = document.createElement('dt');
+  const ddName = document.createElement('dd');
+ 
+  dl.setAttribute('data-testid', 'uei-info');
+  dtUei.textContent = 'Unique Entity ID';
+  ddUei.textContent = auditeeUei;
+  dtName.textContent = 'Auditee name';
+  ddName.textContent = auditeeName.value;
+
+  dl.appendChild(dtUei);
+  dl.appendChild(ddUei);
+  dl.appendChild(dtName);
+  dl.appendChild(ddName);
+
+  ueiInfoEl.appendChild(dl);
 
   auditeeName.removeAttribute('disabled');
   auditeeName.parentNode.setAttribute('hidden', 'hidden');

From 70fe3854aaa4aa128668c240051ed6b49c4be8d0 Mon Sep 17 00:00:00 2001
From: Anastasia Gradova <anastasia.gradova@gsa.gov>
Date: Wed, 15 Jan 2025 13:23:56 -0700
Subject: [PATCH 2/2] Adjusted js construction per comment in PR

---
 backend/static/js/check-ueid.js | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/backend/static/js/check-ueid.js b/backend/static/js/check-ueid.js
index a5accd1f9b..77b382a31e 100644
--- a/backend/static/js/check-ueid.js
+++ b/backend/static/js/check-ueid.js
@@ -43,23 +43,20 @@ function showValidUeiInfo() {
   const auditeeUei = document.getElementById('auditee_uei').value;
   const auditeeName = document.getElementById('auditee_name');
   const ueiInfoEl = document.createElement('div');
-  const dl = document.createElement('dl');
-  const dtUei = document.createElement('dt');
-  const ddUei = document.createElement('dd');
-  const dtName = document.createElement('dt');
-  const ddName = document.createElement('dd');
- 
+  let dl; let dtUei; let ddUei; let dtName; let ddName;
+  dl = document.createElement('dl');
+  dtUei = document.createElement('dt');
+  ddUei = document.createElement('dd');
+  dtName = document.createElement('dt');
+  ddName = document.createElement('dd');
+
   dl.setAttribute('data-testid', 'uei-info');
   dtUei.textContent = 'Unique Entity ID';
   ddUei.textContent = auditeeUei;
   dtName.textContent = 'Auditee name';
   ddName.textContent = auditeeName.value;
 
-  dl.appendChild(dtUei);
-  dl.appendChild(ddUei);
-  dl.appendChild(dtName);
-  dl.appendChild(ddName);
-
+  dl.append(dtUei,ddUei,dtName,ddName);
   ueiInfoEl.appendChild(dl);
 
   auditeeName.removeAttribute('disabled');