Updated check-ueid.js to handle html elements

safely to prevent xss
GSA-TTS · Oct 24, 2024 · bab0e6a · bab0e6a
1 parent f50d9cc
commit bab0e6a
Showing 1 changed file with 18 additions and 9 deletions.
diff --git a/backend/static/js/check-ueid.js b/backend/static/js/check-ueid.js
@@ -43,15 +43,24 @@ function showValidUeiInfo() {
   const auditeeUei = document.getElementById('auditee_uei').value;
   const auditeeName = document.getElementById('auditee_name');
   const ueiInfoEl = document.createElement('div');
-
-  ueiInfoEl.innerHTML = `
-    <dl data-testid="uei-info">
-      <dt>Unique Entity ID</dt>
-      <dd>${auditeeUei}</dd>
-      <dt>Auditee name</dt>
-      <dd>${auditeeName.value}</dd>
-    </dl>
-  `;
+  const dl = document.createElement('dl');
+  const dtUei = document.createElement('dt');
+  const ddUei = document.createElement('dd');
+  const dtName = document.createElement('dt');
+  const ddName = document.createElement('dd');
+
+  dl.setAttribute('data-testid', 'uei-info');
+  dtUei.textContent = 'Unique Entity ID';
+  ddUei.textContent = auditeeUei;
+  dtName.textContent = 'Auditee name';
+  ddName.textContent = auditeeName.value;
+
+  dl.appendChild(dtUei);
+  dl.appendChild(ddUei);
+  dl.appendChild(dtName);
+  dl.appendChild(ddName);
+
+  ueiInfoEl.appendChild(dl);
 
   auditeeName.removeAttribute('disabled');
   auditeeName.parentNode.setAttribute('hidden', 'hidden');