From 74b7964b93d27c5570474da4a7ea16b02039eb50 Mon Sep 17 00:00:00 2001
From: "cycode-security[bot]"
 <54410473+cycode-security[bot]@users.noreply.github.com>
Date: Fri, 20 Mar 2026 17:38:45 +0000
Subject: [PATCH] [Cycode] Fix for SAST detections - Unsanitized user input in
 dynamic HTML insertion (XSS)

---
 .../pathtraversal/js/path_traversal.js        | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/main/resources/lessons/pathtraversal/js/path_traversal.js b/src/main/resources/lessons/pathtraversal/js/path_traversal.js
index 955e7fe7b9..5ca8d1a82c 100644
--- a/src/main/resources/lessons/pathtraversal/js/path_traversal.js
+++ b/src/main/resources/lessons/pathtraversal/js/path_traversal.js
@@ -1,3 +1,4 @@
+
 webgoat.customjs.profileUpload = function () {
 
     var picture = document.getElementById("uploadedFile").files[0];
@@ -11,7 +12,9 @@ webgoat.customjs.profileUpload = function () {
 
 webgoat.customjs.profileUploadCallback = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("preview").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("preview").src = sanitizedBase64String;
     });
 }
 
@@ -27,7 +30,9 @@ webgoat.customjs.profileUploadFix = function () {
 
 webgoat.customjs.profileUploadCallbackFix = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("previewFix").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("previewFix").src = sanitizedBase64String;
     });
 }
 
@@ -44,20 +49,26 @@ webgoat.customjs.profileUploadRemoveUserInput = function () {
 
 webgoat.customjs.profileUploadCallbackRemoveUserInput = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("previewRemoveUserInput").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("previewRemoveUserInput").src = sanitizedBase64String;
     });
 }
 
 
 webgoat.customjs.profileUploadCallbackRetrieval = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("previewRetrieval").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("previewRetrieval").src = sanitizedBase64String;
     });
 }
 
 function newRandomPicture() {
     $.get("PathTraversal/random-picture", function (result, status) {
-        document.getElementById("randomCatPicture").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("randomCatPicture").src = sanitizedBase64String;
     });
 }