Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RA-1865: Fix possible xss in account setup #57

Merged
merged 1 commit into from Nov 23, 2020
Merged

Conversation

isears
Copy link
Member

@isears isears commented Nov 22, 2020

Why?

Possible XSS bug identified by NC State team in account setup pages

What Changed?

Added HTML encoding before user-controlled variables such as username are added to the model.

Decisions Made

Decided to do the most aggressive html-encoding because the values in question should not have any html-encodable characters anyway. In the unlikely event that this causes anything to break, though, more targeted xss prevention can be done in the .gsp frontend

@isears isears requested a review from dkayiwa November 22, 2020 22:59
@dkayiwa dkayiwa merged commit 702fbfd into openmrs:master Nov 23, 2020
1 check passed
@dkayiwa
Copy link
Member

dkayiwa commented Nov 23, 2020

Thanks @isears 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants