Fix XSS risks in templates (tojson escaping), remove unused replicate_text

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: wasade

microsetta_interface/static/input_util.js

@@ -41,15 +41,6 @@ function disableInputOnSubmit(form_selector, input_selector, disabled_text)
     });
 }
 
-function replicate_text(input_selector, destination_selector) {
-    $(input_selector).bind('input', function(){
-        $(this).val(function(_, v){
-            $(destination_selector).html(v);
-            return v
-        });
-    });
-}
-
 function select_class(input_selector, destination_selector, input_to_class) {
     $(input_selector).change(function(){
         $(this).val(function(_, v){

microsetta_interface/templates/new_results_page.jinja2

@@ -1383,20 +1383,20 @@
         state.dataset_type = new NamedExpression("Dataset-Type", "Loading...");
         state.known_datasets = [];
 
-        state.taxonomy = "{{taxonomy}}";
-        state.alpha_metric = "{{alpha_metric}}";
-        state.beta_metric = "{{beta_metric}}";
+        state.taxonomy = {{taxonomy|tojson}};
+        state.alpha_metric = {{alpha_metric|tojson}};
+        state.beta_metric = {{beta_metric|tojson}};
         //Just using test barcode because I can never remember a valid one.
         // DONT MERGE WITH FAKE BARCODE HERE.
-        state.sample_id = "{{sample.sample_barcode}}";
+        state.sample_id = {{sample.sample_barcode|tojson}};
         //state.sample_id = "000023984";
         //state.sample_id = "000004220";
         //state.sample_id = "000023127";
 
-        state.barcode_prefix = "{{barcode_prefix}}";
-        state.public_endpoint = "{{public_endpoint}}";
+        state.barcode_prefix = {{barcode_prefix|tojson}};
+        state.public_endpoint = {{public_endpoint|tojson}};
         let sample_type = "oral";
-        if ("{{sample.sample_site}}" === "Stool")
+        if ({{sample.sample_site|tojson}} === "Stool")
             sample_type="fecal";
         state.sample_type = sample_type;
 

microsetta_interface/templates/sample_results.jinja2

@@ -23,13 +23,13 @@
 
   <link rel="stylesheet" type="text/css" href="/static/css/4_column_flex.css" />
   <script>
-    let taxonomy = "{{taxonomy}}";
-    let alpha_metric = "{{alpha_metric}}";
-    let beta_metric = "{{beta_metric}}";
-    let sampleId = "{{sample.sample_barcode}}";
-    let barcodePrefix = "{{barcode_prefix}}";
+    let taxonomy = {{taxonomy|tojson}};
+    let alpha_metric = {{alpha_metric|tojson}};
+    let beta_metric = {{beta_metric|tojson}};
+    let sampleId = {{sample.sample_barcode|tojson}};
+    let barcodePrefix = {{barcode_prefix|tojson}};
     var opt = {"renderer": "canvas", "actions": true};  /* Options for the Vega embedding */
-    var sample_type = "{{sample.sample_site}}";
+    var sample_type = {{sample.sample_site|tojson}};
     switch(sample_type) {
         case "Stool":
             sample_type = "gut";

microsetta_interface/templates/sitebase.jinja2

@@ -254,7 +254,7 @@
                               <li><a class="dropdown-item" href="/accounts/{{ account_id }}/sources/{{ source_id }}/update_age_range">{{ _('Update Profile Age') }}</a></li>
                               {% endif %}
                               <li><a class="dropdown-item" href="/accounts/{{ account_id }}/sources/{{ source_id }}/consents">{{ _('Consent Documents') }}</a></li>
-                              <li><a class="dropdown-item" href="/accounts/{{ account_id }}/sources/{{ source_id }}/remove" onClick="return verifyDeleteSource('{{source_name}}');">{{ _('Delete This Profile') }}</a></li>
+                              <li><a class="dropdown-item" href="/accounts/{{ account_id }}/sources/{{ source_id }}/remove" onClick="return verifyDeleteSource({{source_name|tojson}});">{{ _('Delete This Profile') }}</a></li>
                           </ul>
                         </div>
                     </div>