RA-1772: Fix stored xss in appointment scheduling #32
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Why?
Appointment scheduling is vulnerable to stored XSS as described here: https://talk.openmrs.org/t/responsible-vulnerability-disclosure/27899
What Changed?
Updated the service type validator so that it doesn't accept service names with HTML characters.
Decisions Made
It looks like we're using
bind-html-unsafeangular directive in a few places in this module so that<strong></strong>tags can be dynamically injected. As such, I opted to sanitize inputs rather than outputs because sanitizing the outputs would likely break the dynamic HTML injection functionality.