Potential fix for code scanning alert no. 13: DOM text reinterpreted as HTML

erwindon · github-advanced-security[bot] · web-flow · commit cb845b8f012d · 2025-06-11T01:17:03.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/saltgui/static/scripts/Documentation.js b/saltgui/static/scripts/Documentation.js
@@ -310,15 +310,15 @@ export class Documentation {
 
       switch (concreteModules.length) {
       case 0:
-        html += "<p>'" + cmd[1] + "' is an unknown module name. We'll just assume it actually exists. The links below (if any) might not work.</p>";
+        html += "<p>'" + Documentation._escapeHtml(cmd[1]) + "' is an unknown module name. We'll just assume it actually exists. The links below (if any) might not work.</p>";
         break;
       case 1:
         // simple modules case
         // wheel/runners cases are always simple
         if (cmd[0] !== "modules") {
-          html += "<p>Module-name '" + cmd[0] + "." + cmd[1] + "' cannot be verified. We'll just assume it actually exists. The links below might not work.</p>";
+          html += "<p>Module-name '" + Documentation._escapeHtml(cmd[0]) + "." + Documentation._escapeHtml(cmd[1]) + "' cannot be verified. We'll just assume it actually exists. The links below might not work.</p>";
         } else if (cmd[1] !== concreteModules[0]) {
-          html += "<p>The internal name for '" + cmd[1] + "' is '" + concreteModules[0] + "'.</p>";
+          html += "<p>The internal name for '" + Documentation._escapeHtml(cmd[1]) + "' is '" + Documentation._escapeHtml(concreteModules[0]) + "'.</p>";
         }
         break;
       default:
@@ -426,7 +426,7 @@ export class Documentation {
     }
 
     const output = document.querySelector(".run-command pre");
-    output.innerHTML = html;
+    output.innerHTML = html; // Ensure all concatenated strings are escaped.
   }
 
   static _manualRunMenuBeaconNamePrepare () {
