Updated check-ueid.js to handle html elements

[anagradova]

safely to prevent xss

PR Checklist: Submitter

Issue: #4411
Steps to validate:

• Change can be seen on /report_submission/auditeeinfo/ after submitting a valid UEI.
• Inspect the javascript (check-ueid.js) and look for the function (showValidUeiInfo).

PR Checklist: Reviewer

• Pull the branch to your local environment and run make docker-clean; make docker-first-run && docker compose up; then run docker compose exec web /bin/bash -c "python manage.py test"
• Manually test out the changes locally, or check this box to verify that it wasn’t applicable in this case.
• Check that the PR has appropriate tests. Look out for changes in HTML/JS/JSON Schema logic that may need to be captured in Python tests even though the logic isn’t in Python.
• Verify that no Git surgery is necessary at any point (such as during a merge party), or, if it was, repeat the testing after it’s finished.

The larger the PR, the stricter we should be about these points.

Pre Merge Checklist: Merger

• Ensure that prior to approving, the terraform plan is what we expect it to be. -/+ resource "null_resource" "cors_header" should be destroying and recreating its self and ~ resource "cloudfoundry_app" "clamav_api" might be updating its sha256 for the fac-file-scanner and fac-av-${ENV} by default.
• Ensure that the branch is up to date with main.
• Ensure that a terraform plan has been recently generated for the pull request.

[github-actions]

Terraform plan for meta

No changes. Your infrastructure matches the configuration.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Warning: Argument is deprecated

  with module.s3-backups.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/s3-backups/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

📝 Plan generated in Pull Request Checks #3863

[github-actions]

Terraform plan for dev

Plan: 1 to add, 0 to change, 1 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.dev.module.cors.null_resource.cors_header must be replaced
-/+ resource "null_resource" "cors_header" {
!~      id       = "*******************" -> (known after apply)
!~      triggers = { # forces replacement
!~          "always_run" = "2024-10-22T12:25:56Z" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Warning: Argument is deprecated

  with module.dev-backups-bucket.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/dev-backups-bucket/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

(and 6 more similar warnings elsewhere)

📝 Plan generated in Pull Request Checks #3863

[github-actions]

Package	Line Rate	Branch Rate	Health
.	100%	100%	✔
api	98%	90%	✔
audit	97%	87%	✔
audit.cross_validation	98%	86%	✔
audit.fixtures	84%	50%	❌
audit.intakelib	90%	81%	✔
audit.intakelib.checks	92%	85%	✔
audit.intakelib.common	98%	82%	✔
audit.intakelib.transforms	100%	94%	✔
audit.management.commands	78%	17%	❌
audit.migrations	100%	100%	✔
audit.models	93%	75%	✔
audit.templatetags	100%	100%	✔
audit.views	61%	39%	❌
census_historical_migration	96%	65%	✔
census_historical_migration.migrations	100%	100%	✔
census_historical_migration.sac_general_lib	92%	84%	✔
census_historical_migration.transforms	95%	90%	✔
census_historical_migration.workbooklib	68%	69%	❌
config	78%	17%	❌
curation	100%	100%	✔
curation.curationlib	57%	100%	❌
curation.migrations	100%	100%	✔
dissemination	91%	72%	✔
dissemination.migrations	97%	25%	✔
dissemination.searchlib	74%	64%	❌
dissemination.templatetags	100%	100%	✔
djangooidc	53%	38%	❌
djangooidc.tests	100%	94%	✔
report_submission	93%	88%	✔
report_submission.migrations	100%	100%	✔
report_submission.templatetags	74%	100%	❌
support	95%	78%	✔
support.management.commands	96%	100%	✔
support.migrations	100%	100%	✔
support.models	97%	83%	✔
tools	98%	50%	✔
users	98%	100%	✔
users.fixtures	100%	83%	✔
users.management	100%	100%	✔
users.management.commands	100%	100%	✔
users.migrations	100%	100%	✔
Summary	91% (17135 / 18910)	77% (2112 / 2760)	✔

Minimum allowed line rate is 85%

[danswick]

These changes look fine to me, but it's important to call out that they appear to be copied and pasted from the GitHub Copilot suggestion (with some reorganizing). I trust that the reviewers knew this and discussed it, but we need to be very careful about incorporating AI-derived code into the codebase. These changes are relatively minor, but it's still worth reminding everyone.

[anagradova]

These changes look fine to me, but it's important to call out that they appear to be copied and pasted from the GitHub Copilot suggestion (with some reorganizing). I trust that the reviewers knew this and discussed it, but we need to be very careful about incorporating AI-derived code into the codebase. These changes are relatively minor, but it's still worth reminding everyone.

That is correct @danswick, it is good to review AI generated suggestions, which I did. This is very similar to the co-pilot suggestion because there was no reason to change it very much other than some organization as its suggested implementation accomplished the goal, which was correcting the potential for XSS by placing in tags/strings into into the object model instead of a string with tags. The logic was not complex.

[jadudm]

I'll be out of the room for a while, so the team will want to discuss some norms around the AI code.

1. We have a system that is CC0/public domain in the USA. The AI code is trained on code that has unknown licenses and unknown provenance. I have no idea what it means for us to use it. (Which is perhaps a way to say "given our license, perhaps we shouldn't.")
2. The license issue also applies to assets, FWIW, and might help frame the code issue. E.g. when we do public presentations, we can't use random images from the internet, because it re-licenses the content as public domain (or otherwise makes dissemination of our work complex.) So, similarly for us... licensing matters, and for our code as well.

(For reference, when you're reading SO, their license is pretty explicit, and generally compatible as long as we reference our work (BY-SA). https://stackoverflow.com/help/licensing)

In this regard... my personal inclination would be to never use it. However, the team can discuss and perhaps do an ADR about it.

Dismissing pending discussion

[asteel-gsa]

Dismissing reviews at this time for re-review.

Proposed:

  const dl = document.createElement('dl');
  const dtUei = document.createElement('dt');
  const ddUei = document.createElement('dd');
  const dtName = document.createElement('dt');
  const ddName = document.createElement('dd');

  dl.setAttribute('data-testid', 'uei-info');
  dtUei.textContent = 'Unique Entity ID';
  ddUei.textContent = auditeeUei;
  dtName.textContent = 'Auditee name';
  ddName.textContent = auditeeName.value;

  dl.appendChild(dtUei);
  dl.appendChild(ddUei);
  dl.appendChild(dtName);
  dl.appendChild(ddName);

  ueiInfoEl.appendChild(dl);

Appears to be reorganized, utilizing the same html structure we have, however, I agree with Matt and Dan in this regard. We will likely need to review our license https://creativecommons.org/publicdomain/zero/1.0/legalcode on top of finding out the status at a TTS level.

Last I have seen through slack is usage is not permitted, at least in relation to plugin via VSCode. We would need a definitive "CoPilot usage is okay" from TTS at large, and I do not think that has been given.

[asteel-gsa]

@anagradova spoke with @jperson1 and this would be my proposed change to get it through.
James was able (barring local build issues) to get this working and feels good about this as well. Let us know what you think.

CC: @danswick

Refs:

• https://stackoverflow.com/a/52702483
• https://stackoverflow.com/a/48655674
• https://developer.mozilla.org/en-US/docs/Web/API/Element/append

let dl; let dtUei; let ddUei; let dtName; let ddName;
dl = document.createElement('dl');
dtUei = document.createElement('dt');
ddUei = document.createElement('dd');
dtName = document.createElement('dt');
ddName = document.createElement('dd');

dl.setAttribute('data-testid', 'uei-info');
dtUei.textContent = 'Unique Entity ID';
ddUei.textContent = auditeeUei;
dtName.textContent = 'Auditee name';
ddName.textContent = auditeeName.value;

dl.append(dtUei,ddUei,dtName,ddName);
ueiInfoEl.appendChild(dl);