From e6f0e7d11ea08bbe6855b0a6b296087a5c8ea926 Mon Sep 17 00:00:00 2001
From: Anthony Bartolo <abartolo@microsoft.com>
Date: Wed, 20 Aug 2025 15:14:59 -0400
Subject: [PATCH] Potential fix for code scanning alert no. 16: Reflected
 cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../Module2/code/lesson5/lab2/app.js              | 15 +++++++++++++--
 .../Module2/code/lesson5/lab2/package.json        |  3 ++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/app.js b/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/app.js
index f901ab6a0..d00907253 100644
--- a/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/app.js	
+++ b/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/app.js	
@@ -1,6 +1,7 @@
 var express = require('express'),
   bodyParser = require('body-parser'),
-  logger = require('morgan')
+  logger = require('morgan'),
+  escapeHtml = require('escape-html')
 
 let posts = require('./posts.json')
 
@@ -15,7 +16,17 @@ app.get('/', function(req, res, next) {
 })
 
 app.get('/api/posts', function(req, res, next) {
-  let results = posts
+  let results = posts.map(post => {
+    let escapedPost = {};
+    for (let key in post) {
+      if (typeof post[key] === 'string') {
+        escapedPost[key] = escapeHtml(post[key]);
+      } else {
+        escapedPost[key] = post[key];
+      }
+    }
+    return escapedPost;
+  });
   res.send(results)
 })
 
diff --git a/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/package.json b/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/package.json
index 8969bff10..bac6cf591 100644
--- a/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/package.json	
+++ b/archive/Educator Resources/Course Content/Module2/code/lesson5/lab2/package.json	
@@ -19,7 +19,8 @@
   "dependencies": {
     "body-parser": ">=1.20.3",
     "express": ">=4.20.0",
-    "morgan": "1.9.1"
+    "morgan": "1.9.1",
+    "escape-html": "^1.0.3"
   },
   "devDependencies": {
     "body-parser": ">=1.20.3",