Merge pull request #1253 from GSA/alert-autofix-42

Fix code scanning alert no. 42: Client-side cross-site scripting

assets/js/search.js

@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 document.addEventListener("DOMContentLoaded", function () {
     var searchResults = document.getElementById("search-results");
     var pathParts = window.location.pathname.split("/payment-accuracy/");
@@ -44,9 +46,9 @@ document.addEventListener("DOMContentLoaded", function () {
             .then(function (posts) {
                 totalResults = posts.web.total;
                 document.getElementById("search-params").innerHTML =
-                    urlParams.get("query");
+                    DOMPurify.sanitize(urlParams.get("query"));
                 document.getElementById("search-keyword").innerHTML =
-                    urlParams.get("query");
+                    DOMPurify.sanitize(urlParams.get("query"));
                 document.getElementById("results-count").innerHTML = totalResults;
 
                 if (posts.web.results.length > 0) {

package.json

@@ -12,7 +12,8 @@
     "csv-writer": "^1.6.0",
     "jquery": "3.6.4",
     "react-redux": "^7.2.9",
-    "striptags": "^3.2.0"
+    "striptags": "^3.2.0",
+    "dompurify": "^3.2.3"
   },
   "devDependencies": {
     "a11y": "^0.5.1",
@@ -22,7 +23,7 @@
   },
   "overrides": {
     "cross-spawn": "^6.0.6",
-    "trim":">=0.0.3",
+    "trim": ">=0.0.3",
     "tough-cookie": ">=4.1.4",
     "got": ">=11.8.5",
     "trim-newlines": ">=5.0.0"