Escape javascript breaking on backlash or special characters in finding title (#12514)

c-goosen · web-flow · commit 33559eb5e04d · 2025-05-29T14:33:12.000-06:00
* Escape javascript breaking on backlash or special characters in finding titel

* Ruff formatting and W605 ignore

* Fix escape character issue with \

* Remove ruff noqa comments.

* Fix ruff failure on w291
diff --git a/dojo/templates/dojo/filter_js_snippet.html b/dojo/templates/dojo/filter_js_snippet.html
@@ -37,7 +37,7 @@
     {% if title_words %}
         var title_words = [
                 {% for word in title_words %}
-                    "{{word}}",
+                    "{{word|escapejs}}",
                 {% endfor %}
             ];
             {% comment %}ideally we use the form.prefix but then we have the trailing dash... django templates are hard{% endcomment %}
@@ -49,7 +49,7 @@
     {% if component_words %}
             var component_words = [
                 {% for word in component_words %}
-                    "{{word}}",
+                    "{{word|escapejs}}",
                 {% endfor %}
             ];
 
diff --git a/tests/finding_test.py b/tests/finding_test.py
@@ -519,6 +519,49 @@ def test_create_finding_from_template(self):
         self.assertTrue(self.is_success_message_present(text="Finding from template added successfully."))
         self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From Template"))
 
+    @on_exception_html_source_logger
+    def test_create_finding_with_unqiue_characters(self):
+        driver = self.driver
+        # Navigate to All Finding page
+        # goto engagemnent list (and wait for javascript to load)
+        self.goto_all_engagements_overview(driver)
+
+        # Select a previously created engagement title
+        driver.find_element(By.PARTIAL_LINK_TEXT, "Ad Hoc Engagement").click()
+        driver.find_element(By.PARTIAL_LINK_TEXT, "Pen Test").click()
+
+        # Click on the 'dropdownMenu1 button'
+        # logger.info("\nClicking on dropdown menu \n")
+        driver.find_element(By.ID, "dropdownMenu_test_add").click()
+        self.assertNoConsoleErrors()
+        # Click on `Apply Template to Finding`
+        driver.find_element(By.LINK_TEXT, "Finding From Template").click()
+        self.assertNoConsoleErrors()
+        # click on the template of 'App Vulnerable to XSS'
+        logger.info("\nClicking on the template \n")
+        driver.find_element(By.LINK_TEXT, "Use This Template").click()
+        self.assertNoConsoleErrors()
+        driver.find_element(By.ID, "id_title").clear()
+        # Backslash causes error
+        driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \\Template")
+        self.assertNoConsoleErrors()
+        # Click the 'finished' button to submit
+        driver.find_element(By.ID, "id_finished").click()
+        self.assertNoConsoleErrors()
+        # Query the site to determine if the finding has been added
+        # Assert to the query to determine status of failure
+        self.assertTrue(self.is_success_message_present(text="Finding from template added successfully."))
+        self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From \\Template"))
+
+        # Navigate back to the finding list
+        driver.find_element(By.LINK_TEXT, "Findings").click()
+        self.assertNoConsoleErrors()
+        driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \\Template").click()
+        self.assertNoConsoleErrors()
+
+        # Assert that the finding is present
+        self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \\Template"))
+
     @on_exception_html_source_logger
     def test_delete_finding_template(self):
         driver = self.driver
