Skip to content
Permalink
Browse files Browse the repository at this point in the history
RA1865 - Fixing reflected XSS in the notes section (#39)
* Fixing reflective XSS in the notes section

* using owasp encoder for HTML encoding

* Escaping HTML using WebUtil

* Update api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java

Co-authored-by: Brandon Istenes <brandonesbox@gmail.com>

* Update api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java

Co-authored-by: Brandon Istenes <brandonesbox@gmail.com>

Co-authored-by: Anupam Devulapalli <anupam.8010@gmail.com>
Co-authored-by: Mark Goodrich <mgoodrich@pih.org>
Co-authored-by: Brandon Istenes <brandonesbox@gmail.com>
  • Loading branch information
4 people committed Sep 22, 2022
1 parent 731fb58 commit 2ccbe39
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
Expand Up @@ -3,6 +3,7 @@
import org.openmrs.BaseOpenmrsData;
import org.openmrs.Patient;
import org.openmrs.Provider;
import org.openmrs.web.WebUtil;

import java.util.Date;

Expand Down Expand Up @@ -95,7 +96,7 @@ public String getNotes() {
}

public void setNotes(String notes) {
this.notes = notes;
this.notes = WebUtil.escapeHTML(notes);
}

public Provider getRequestedBy() {
Expand Down
Expand Up @@ -84,8 +84,6 @@ public void getAppointmentRequest_shouldGetCorrectAppointmentRequest() throws Ex
assertEquals(TimeFrameUnits.WEEKS, appointmentRequest.getMinTimeFrameUnits());
assertEquals(new Integer(2), appointmentRequest.getMaxTimeFrameValue());
assertEquals(TimeFrameUnits.MONTHS, appointmentRequest.getMaxTimeFrameUnits());
assertNull(appointmentRequest.getNotes());

}

@Test
Expand Down Expand Up @@ -295,4 +293,14 @@ public void getAppointmentRequestsByConstraints_shouldFetchAppointmentsByMultipl

}

@Test
@Verifies(value="The text for notes should be sanitized", method="sanitizeNotes(String)")
public void sanitizeAppointmentRequest_shouldSanitizeTheTextInputForAppointmentNotes() throws Exception {
final String note = "<iframe>";
final String sanitizedNote = "&lt;iframe&gt;";
AppointmentRequest appointmentRequest = new AppointmentRequest();
appointmentRequest.setNotes(note);
assertEquals(appointmentRequest.getNotes(), sanitizedNote);
}

}

0 comments on commit 2ccbe39

Please sign in to comment.