Stored Cross-Site Scripting vulnerability in example Custom Digital Agreement

The advanced vetting settings page is vulnerable to a Cross-Site Scripting (XSS) vulnerability by passing the unsanitized Program Name into a Markdown component, which expects sanitized HTML to be given. This leads to a stored XSS vulnerability that can be exploited by a program member when the program is in sandbox mode. # Proof of concept - create a new program, set the name to `<blink><marquee><a href="//anything">XSS</a></marquee></blink>` - go to http://localhost:8080/handle/advanced_vetting - click the "View document" button, which generates an example DCA based on the Program Name - the Program Name in the example DCA isn't properly sanitized and is passed directly to the `Markdown` React component, which assumes the HTML is sanitized {F989452} ## Impact The impact is limited due to the fact that the example DCA is only generated when the program is in sandbox mode. It can only be exploited by Program Managers, since only they are authorized to update the Program Name. Programs in sandbox mode do **not** contain real vulnerability data.