Update fixes for command injections at bulletin_generator

[cduhn17]

🗣 Description

Sanitize input from input variables. Revove the following code associated with htmx.js:

• The method o embeds untrusted data in generated output with body, at line 148 of src/pe_reports/static/js/htmx.js. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page src/pe_reports/js/htmx.js line 1224,151, 1321, 722. Also removed associated code in *.css as the styles are no longer need once htmx.js is removed (see https://github.com/cisagov/pe-reports/pull/596).

💭 Motivation and context

Based on the input that is possible it is a best practice to remove the chance of command execution.

✅ Pre-approval checklist

• [x] This PR has an informative and human-readable title.
• [x] Changes are limited to a single goal - eschew scope creep!
• [x] All future TODOs are captured in issues, which are referenced in code comments.
• [x] All relevant type-of-change labels have been added.
• [x] I have read the CONTRIBUTING document.
• [x] These code changes follow cisagov code standards.
• [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• [x] Tests have been added and/or modified to cover the changes in this PR.
• [x] All new and existing tests pass.

✅ Pre-merge checklist

• [x] Revert dependencies to default branches.
• [x] Finalize version.

✅ Post-merge checklist

• [x] Create a release.

[coveralls]

coverage: 26.628% (-0.02%) from 26.647% when pulling 94059cee8dafcd688b09b0c2d10f07f07dc83dd9 on CD-command-injection-fixes into bb77b5eb32d454d149b668db236816b56b49e8cd on develop.

[cduhn17]

@dav3r ,

The other changes are third part libs, so we just removed them to pass the checks. Its not our evaluation, that is all of the information that I have at this point.

[dav3r]

@dav3r ,

The other changes are third part libs, so we just removed them to pass the checks. Its not our evaluation, that is all of the information that I have at this point.

Which third party libraries are you removing? I was referring to the HTML changes here, here, and here. Regardless, you should update the content in the PR's description to document why these changes are included.

[cduhn17]

@dav3r ,

I have updated the PR description. The third-party js lib is HTMX js.

[dav3r]

I have updated the PR description. The third-party js lib is HTMX js.

@cduhn17 I don't see any updates to this PR's description - it looks like there haven't been any edits in 2 days.

[cduhn17]

@dav3r , Should be updated now.