From 839429be3c4bd257d53a2d1e48965f2f912d5a8a Mon Sep 17 00:00:00 2001
From: Anil Nadiminti <anilnadi@amazon.com>
Date: Mon, 12 Jan 2026 09:42:55 -0500
Subject: [PATCH] fix: improve security in frontend application

- Replace Math.random() with crypto.randomUUID() for secure session ID generation
- Replace innerHTML with textContent to prevent XSS vulnerabilities
- Add CSS styling for API response display with proper formatting
---
 .../005_Frontend/src/App.css                    | 17 +++++++++++++++++
 .../005_Frontend/src/App.js                     |  8 +++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.css b/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.css
index 162fc7926..be06d69cc 100644
--- a/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.css
+++ b/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.css
@@ -48,3 +48,20 @@
   }
 }
 
+#apiresponse {
+  margin-top: 20px;
+  padding: 15px;
+  border: 1px solid #ccc;
+  background-color: #f5f5f5;
+  font-family: monospace;
+  white-space: pre-wrap;
+  text-align: left;
+  max-width: 800px;
+  margin-left: auto;
+  margin-right: auto;
+  overflow-wrap: break-word;
+}
+
+#apiresponse:empty {
+  display: none;
+}
diff --git a/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.js b/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.js
index efba1dd36..9d397c994 100644
--- a/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.js
+++ b/agents-and-function-calling/bedrock-agents/use-case-examples/fine-grained-access-permissions-agent/005_Frontend/src/App.js
@@ -62,7 +62,8 @@ const parseJwtToken = (tokenType) => {
   };
   
   const generateSessionId = () => {
-    const newSessionId = Math.random().toString(36).substring(2, 15); // Generate a new session ID
+    // Use cryptographically secure random UUID instead of Math.random()
+    const newSessionId = crypto.randomUUID();
     setSessionId(newSessionId);
   };  
   
@@ -121,8 +122,9 @@ function callAPIGW(accessToken, idToken, inputPrompt, setIsLoading, sessionId) {
     .get(apiGatewayUrl, { headers: headers })
     .then((response) => {
       console.log(response.data);
-      document.getElementById('apiresponse').innerHTML =
-        '<b>Response</b><br>' + JSON.stringify(response.data, null, 2);
+      // Use textContent instead of innerHTML to prevent XSS attacks
+      const apiResponseElement = document.getElementById('apiresponse');
+      apiResponseElement.textContent = 'Response\n' + JSON.stringify(response.data, null, 2);
       setIsLoading(false); // Set isLoading to false after receiving the response
         
     })