From ba757fbc0053b1788aec267f3b88de4f0c3c84d6 Mon Sep 17 00:00:00 2001
From: Mehdi <10160868+mbiuki@users.noreply.github.com>
Date: Fri, 18 Oct 2024 11:50:51 -0400
Subject: [PATCH 1/5] Create semgrep.test.js

This is a test to experiment comment mode for Semgrep onboarding.
---
 semgrep.test.js | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 semgrep.test.js

diff --git a/semgrep.test.js b/semgrep.test.js
new file mode 100644
index 000000000000..88240bd0342a
--- /dev/null
+++ b/semgrep.test.js
@@ -0,0 +1,27 @@
+const el = element.innerHTML;
+
+function bad1(userInput) {
+// ruleid: insecure-document-method
+  el.innerHTML = '<div>' + userInput + '</div>';
+}
+
+function bad2(userInput) {
+// ruleid: insecure-document-method
+  document.body.outerHTML = userInput;
+}
+
+function bad3(userInput) {
+  const name = '<div>' + userInput + '</div>';
+// ruleid: insecure-document-method
+  document.write(name);
+}
+
+function ok1() {
+  const name = "<div>it's ok</div>";
+// ok: insecure-document-method
+  el.innerHTML = name;
+}
+
+function ok2() {
+// ok: insecure-document-method
+  documen

From 3504596e417bf1ad433f9d53eb079766db5444e0 Mon Sep 17 00:00:00 2001
From: Mehdi <10160868+mbiuki@users.noreply.github.com>
Date: Fri, 18 Oct 2024 11:59:32 -0400
Subject: [PATCH 2/5] Update semgrep.test.js

fixing code
---
 semgrep.test.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/semgrep.test.js b/semgrep.test.js
index 88240bd0342a..83138466bddc 100644
--- a/semgrep.test.js
+++ b/semgrep.test.js
@@ -24,4 +24,5 @@ function ok1() {
 
 function ok2() {
 // ok: insecure-document-method
-  documen
+  document.write("<div>it's ok</div>");
+}

From 27d56226a945dcb58e5a8f96598c0f5d59984b65 Mon Sep 17 00:00:00 2001
From: Mehdi <10160868+mbiuki@users.noreply.github.com>
Date: Fri, 18 Oct 2024 12:04:12 -0400
Subject: [PATCH 3/5] Update semgrep.test.js

Co-authored-by: semgrep-code-dotcms-test[bot] <183154938+semgrep-code-dotcms-test[bot]@users.noreply.github.com>
---
 semgrep.test.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/semgrep.test.js b/semgrep.test.js
index 83138466bddc..4960ed2560c9 100644
--- a/semgrep.test.js
+++ b/semgrep.test.js
@@ -13,7 +13,16 @@ function bad2(userInput) {
 function bad3(userInput) {
   const name = '<div>' + userInput + '</div>';
 // ruleid: insecure-document-method
-  document.write(name);
+  // Import DOMPurify to sanitize user input
+  const DOMPurify = require('dompurify');
+
+  function bad3(userInput) {
+    // Sanitize the user input to prevent XSS
+    const sanitizedInput = DOMPurify.sanitize('<div>' + userInput + '</div>');
+
+    // Use document.write with sanitized input
+    document.write(sanitizedInput);
+  }
 }
 
 function ok1() {

From 0216aed5e1bf9111df2c6fc44d90537be7588d1a Mon Sep 17 00:00:00 2001
From: Mehdi <10160868+mbiuki@users.noreply.github.com>
Date: Fri, 18 Oct 2024 12:04:39 -0400
Subject: [PATCH 4/5] Update semgrep.test.js

Co-authored-by: semgrep-code-dotcms-test[bot] <183154938+semgrep-code-dotcms-test[bot]@users.noreply.github.com>
---
 semgrep.test.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/semgrep.test.js b/semgrep.test.js
index 4960ed2560c9..c4cd49fdbd78 100644
--- a/semgrep.test.js
+++ b/semgrep.test.js
@@ -7,7 +7,19 @@ function bad1(userInput) {
 
 function bad2(userInput) {
 // ruleid: insecure-document-method
-  document.body.outerHTML = userInput;
+  // Import jsdom at the top of your file
+  const { JSDOM } = require('jsdom');
+
+  function bad2(userInput) {
+    // Create a new JSDOM instance
+    const dom = new JSDOM('<!DOCTYPE html><body></body>');
+    const document = dom.window.document;
+
+    // Safely set the content by creating a new element and setting its text content
+    const newElement = document.createElement('div');
+    newElement.textContent = userInput;
+    document.body.appendChild(newElement);
+  }
 }
 
 function bad3(userInput) {

From 20c27907a0d225aab7c681c8b645c2c539d02958 Mon Sep 17 00:00:00 2001
From: Mehdi <10160868+mbiuki@users.noreply.github.com>
Date: Fri, 18 Oct 2024 12:04:55 -0400
Subject: [PATCH 5/5] Update semgrep.test.js

Co-authored-by: semgrep-code-dotcms-test[bot] <183154938+semgrep-code-dotcms-test[bot]@users.noreply.github.com>
---
 semgrep.test.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/semgrep.test.js b/semgrep.test.js
index c4cd49fdbd78..79c8b3149849 100644
--- a/semgrep.test.js
+++ b/semgrep.test.js
@@ -2,7 +2,14 @@ const el = element.innerHTML;
 
 function bad1(userInput) {
 // ruleid: insecure-document-method
-  el.innerHTML = '<div>' + userInput + '</div>';
+  const { JSDOM } = require('jsdom');
+
+  function bad1(userInput) {
+    const dom = new JSDOM('<!DOCTYPE html><html><body></body></html>');
+    const safeElement = dom.window.document.createElement('div');
+    safeElement.textContent = userInput;
+    el.appendChild(safeElement);
+  }
 }
 
 function bad2(userInput) {