Escape javascript breaking on backlash or special characters in finding title

[c-goosen]

Escape javascript breaking on backlash or special characters in finding title

Description

Fixes: #12512

A backslash in finding title breaks frontend render in list view.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

[valentijnscholten]

@c-goosen Thank you for reporting and fixing! Could you look at the Ruff failures? It looks like you added some noqa's to fix Ruff errors but now it complains there was nothing to fix 🤔

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request involves sensitive edits to a template file with potential cross-site scripting (XSS) risks and input validation concerns, which may require careful review of escaping mechanisms and input handling to prevent potential security vulnerabilities.

⚠️ Configured Codepaths Edit in dojo/templates/dojo/filter_js_snippet.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

💭 Unconfirmed Findings (2)

Vulnerability	Potential Cross-Site Scripting (XSS) Risk Without Escaping
Description	Located in dojo/templates/dojo/filter_js_snippet.html, this vulnerability involves direct insertion of words into JavaScript arrays without escaping, which could potentially allow XSS attacks by executing malicious scripts if special characters are present.

Vulnerability	Potential Input Validation Bypass with Special Characters
Description	Found in tests/finding_test.py, this issue suggests possible insufficient input validation for special characters in finding titles, with the test indicating the application can handle backslash characters, which might reveal input validation weaknesses.

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.

[c-goosen]

@c-goosen Thank you for reporting and fixing! Could you look at the Ruff failures? It looks like you added some noqa's to fix Ruff errors but now it complains there was nothing to fix 🤔

Thanks fixed that.
Also did some more testing locally with our own data imported to docker-compose local dev.

Local tested before with our data:

After fix:

Just to be careful I tested inputs like a XSS payload getting injected, but the escapejs jinja2 argument is escaping the content correctly.

@mtesauro @Maffooch ready for review.

[manuel-sommer]

Could you also look at #11572 and #11408 @c-goosen if these are fixed with this PR?

[Maffooch]

I was unable to reproduce the issue where findings could not be displayed, but there was a bunch of browser console errors that this fixes

[manuel-sommer]

Can we now also close #11572 and #11408 ?

[valentijnscholten]

Can we now also close #11572 and #11408 ?

The PR here only changed the population of the words list in the filter section. Displaying of finding titles was not affected.

[c-goosen]

Can we now also close #11572 and #11408 ?

The PR here only changed the population of the words list in the filter section. Displaying of finding titles was not affected.

@valentijnscholten && @manuel-sommer I only changed the generation of the javascript file, didn't touch the HTML templates. I can look at what we would need to fix the two issues as well.