Fix for Issue 1060

[sei-vsarvepalli]

This is for fixing the problem in Issu #1060 where CSV files with commas and quote delimited commas could not be uploaded to the calculator. some small security fix to where one can use a malicious filename to inject HTML - not necessarily XSS though.

This pull request refactors and modernizes the CSV/TSV file import logic in ssvc.js, replacing the old parse_file function with a new implementation that builds a more structured and extensible schema for imported decision trees. It also updates how imported files are added to the UI and ensures imported trees are tracked and selectable.

Major improvements to file import and schema handling:

• Replaces the old parse_file function with a new version that:
  • Detects file version (CSVv1/CSVv2), generates unique short keys for headers and values, and constructs a structured schema for decision points and mappings, improving extensibility and maintainability.
  • Automatically adds imported decision trees to the global SSVC.decision_trees array and updates the UI dropdown, ensuring users can select the newly imported tree.
  • Updates the select_add_option function to accept an explicit display text for dropdown options, supporting better labeling of imported files.

Integration and function usage updates:

• Updates the readFile function to pass the filename to parse_file, allowing the new schema to include file metadata and ensuring correct dropdown labeling.

These changes make the import process more robust, user-friendly, and ready for future enhancements.

[Copilot]

Pull request overview

Updates the SSVC calculator’s CSV/TSV import flow to address Issue #1060 by refactoring the legacy CSV parser into a new “imported decision tree schema” builder and improving how imported trees are added/selected in the UI.

Changes:

• Updates select_add_option to support explicit display text and use .text() (safer than .html() for user-controlled strings).
• Refactors CSV/TSV import by replacing the old parse_file logic with a new implementation that builds a structured schema and routes it through parse_json.
• Updates readFile to pass the uploaded filename into parse_file for better labeling/metadata.

[Copilot]

Splitting lines with split("\n") leaves \r on CRLF files, which can break the quoted-line detection (x.at(-1) === '"') and pollute the last field/header. Prefer splitting on /\r?\n/ (or trimming \r) before further parsing.

Suggested change

	const xarray = xraw.split("\n").filter(Boolean);
	const xarray = xraw.split(/\r?\n/).filter(Boolean);

[sei-vsarvepalli]

will be included in the next commit

[Copilot]

Headers and values from an imported file are treated as trusted strings and later rendered in the UI; parse_json uses .html(...) for some label rendering, so a malicious header/value could inject HTML/JS. Either sanitize/escape imported headers/values before building the schema, or change the downstream rendering to use .text(...) for user-controlled content.

[sei-vsarvepalli]

will update parse_json to change html to text

[Copilot]

console.log(imported) will log the entire imported decision tree (including potentially sensitive local file contents) in production. Consider removing this or gating it behind an explicit debug flag.

Suggested change

console.log(imported);

[Copilot]

Avoid automated semicolon insertion (95% of all statements in the enclosing function have an explicit semicolon).

Suggested change

	let detect_version = "CSVv1"
	let detect_version = "CSVv1";

[sei-renae]

calc works now, but I didn't try giving it malicious json or csv.