AppSecHQ · cycode-security · Mar 20, 2026 · cycode-security · Mar 20, 2026 · cycode-security
diff --git a/src/main/resources/lessons/pathtraversal/js/path_traversal.js b/src/main/resources/lessons/pathtraversal/js/path_traversal.js
@@ -1,3 +1,4 @@
+
 webgoat.customjs.profileUpload = function () {
 
     var picture = document.getElementById("uploadedFile").files[0];
@@ -8,10 +9,12 @@
    formData.append("password", $("#password").val());
    return formData;
 }
 
 webgoat.customjs.profileUploadCallback = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("preview").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("preview").src = sanitizedBase64String;
     });
 }
 
@@ -27,7 +30,9 @@
 
 webgoat.customjs.profileUploadCallbackFix = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("previewFix").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("previewFix").src = sanitizedBase64String;
     });
 }
 
@@ -36,7 +41,7 @@
    var picture = document.getElementById("uploadedFileRemoveUserInput").files[0];
    var formData = new FormData();
    formData.append("uploadedFileRemoveUserInput", picture);
    formData.append("fullName", $("#fullNameRemoveUserInput").val());
    formData.append("email", $("#emailRemoveUserInput").val());
    formData.append("password", $("#passwordRemoveUserInput").val());
    return formData;
@@ -44,20 +49,26 @@
 
 webgoat.customjs.profileUploadCallbackRemoveUserInput = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("previewRemoveUserInput").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("previewRemoveUserInput").src = sanitizedBase64String;
     });
 }
 
 
 webgoat.customjs.profileUploadCallbackRetrieval = function () {
     $.get("PathTraversal/profile-picture", function (result, status) {
-        document.getElementById("previewRetrieval").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("previewRetrieval").src = sanitizedBase64String;
     });
 }
 
 function newRandomPicture() {
     $.get("PathTraversal/random-picture", function (result, status) {
-        document.getElementById("randomCatPicture").src = "data:image/png;base64," + result;
+        var base64String = "data:image/png;base64," + result;
+        var sanitizedBase64String = sanitizeHtml(base64String);
+        document.getElementById("randomCatPicture").src = sanitizedBase64String;
     });
 }