From bab0e6a27fbf6f768f43cec7996fa5de39951dd8 Mon Sep 17 00:00:00 2001
From: Anastasia Gradova <anastasia.gradova@gsa.gov>
Date: Thu, 24 Oct 2024 15:14:40 -0600
Subject: [PATCH] Updated check-ueid.js to handle html elements safely to
 prevent xss

---
 backend/static/js/check-ueid.js | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/backend/static/js/check-ueid.js b/backend/static/js/check-ueid.js
index 1f6841e279..a5accd1f9b 100644
--- a/backend/static/js/check-ueid.js
+++ b/backend/static/js/check-ueid.js
@@ -43,15 +43,24 @@ function showValidUeiInfo() {
   const auditeeUei = document.getElementById('auditee_uei').value;
   const auditeeName = document.getElementById('auditee_name');
   const ueiInfoEl = document.createElement('div');
-
-  ueiInfoEl.innerHTML = `
-    <dl data-testid="uei-info">
-      <dt>Unique Entity ID</dt>
-      <dd>${auditeeUei}</dd>
-      <dt>Auditee name</dt>
-      <dd>${auditeeName.value}</dd>
-    </dl>
-  `;
+  const dl = document.createElement('dl');
+  const dtUei = document.createElement('dt');
+  const ddUei = document.createElement('dd');
+  const dtName = document.createElement('dt');
+  const ddName = document.createElement('dd');
+ 
+  dl.setAttribute('data-testid', 'uei-info');
+  dtUei.textContent = 'Unique Entity ID';
+  ddUei.textContent = auditeeUei;
+  dtName.textContent = 'Auditee name';
+  ddName.textContent = auditeeName.value;
+
+  dl.appendChild(dtUei);
+  dl.appendChild(ddUei);
+  dl.appendChild(dtName);
+  dl.appendChild(ddName);
+
+  ueiInfoEl.appendChild(dl);
 
   auditeeName.removeAttribute('disabled');
   auditeeName.parentNode.setAttribute('hidden', 'hidden');