Skip to content
Permalink
Browse files Browse the repository at this point in the history
Ra 1424: escapeJs is vulnerable to XSS attacks (#51)
* RA-1424: escapeJs vulnerable to XSS

* RA-1424: escapeJs vulnerable to XSS
  • Loading branch information
jnsereko committed Jul 5, 2021
1 parent e002f33 commit 8119909
Show file tree
Hide file tree
Showing 8 changed files with 10 additions and 10 deletions.
Expand Up @@ -203,7 +203,7 @@ public static String determineReturnLabel(String returnLabel, Patient patient, U
if (org.apache.commons.lang.StringUtils.isNotBlank(returnLabel)) {
return ui.message(returnLabel);
} else {
return ui.escapeJs(ui.format(patient));
return ui.encodeJavaScript(ui.format(patient));
}

}
Expand Down
Expand Up @@ -281,7 +281,7 @@ public SimpleObject submit(UiSessionContext sessionContext, @RequestParam("perso
request.getSession().setAttribute(UiCommonsConstants.SESSION_ATTRIBUTE_INFO_MESSAGE,
ui.message(
editMode ? "htmlformentryui.editHtmlForm.successMessage" : "htmlformentryui.enterHtmlForm.successMessage",
ui.format(hf.getForm()), ui.escapeJs(ui.format(patient))));
ui.format(hf.getForm()), ui.encodeJavaScript(ui.format(patient))));
request.getSession().setAttribute(UiCommonsConstants.SESSION_ATTRIBUTE_TOAST_MESSAGE, "true");

return returnHelper(null, fes, formEncounter);
Expand Down
Expand Up @@ -39,7 +39,7 @@ public void get(@RequestParam("encounter") Encounter encounter,
SimpleObject.create("patientId", patient.getId()));
}
if (StringUtils.isEmpty(returnLabel)) {
returnLabel = ui.escapeJs(ui.format(patient.getPatient()));
returnLabel = ui.encodeJavaScript(ui.format(patient.getPatient()));
}

model.addAttribute("patient", patient);
Expand Down
Expand Up @@ -29,7 +29,7 @@ ${ ui.includeFragment("coreapps", "patientHeader", [ patient: patient ]) }
var breadcrumbs = _.flatten([
{ icon: "icon-home", link: '/' + OPENMRS_CONTEXT_PATH + '/index.htm' },
${ breadcrumbMiddle },
{ label: "${ ui.escapeJs(ui.message("coreapps.editHtmlForm.breadcrumb", ui.message(ui.format(htmlForm.form)))) }" }
{ label: "${ ui.encodeJavaScript(ui.message("coreapps.editHtmlForm.breadcrumb", ui.message(ui.format(htmlForm.form)))) }" }
]);
jQuery(function() {
Expand Down
Expand Up @@ -10,7 +10,7 @@
var breadcrumbs = _.flatten([
{ icon: "icon-home", link: '/' + OPENMRS_CONTEXT_PATH + '/index.htm' },
${ breadcrumbMiddle },
{ label: "${ ui.escapeJs(ui.message("coreapps.editHtmlForm.breadcrumb", ui.message(ui.format(htmlForm.form)))) }" }
{ label: "${ ui.encodeJavaScript(ui.message("coreapps.editHtmlForm.breadcrumb", ui.message(ui.format(htmlForm.form)))) }" }
]);
jq(function() {
Expand Down
Expand Up @@ -30,7 +30,7 @@ ${ ui.includeFragment("coreapps", "patientHeader", [ patient: patient ]) }
var breadcrumbs = _.flatten([
{ icon: "icon-home", link: '/' + OPENMRS_CONTEXT_PATH + '/index.htm' },
${ ui.encodeHtmlContent(breadcrumbMiddle) } ,
{ label: "${ ui.escapeJs(ui.format(htmlForm.form)) }" }
{ label: "${ ui.encodeJavaScript(ui.format(htmlForm.form)) }" }
]);
jQuery(function() {
Expand Down
Expand Up @@ -13,7 +13,7 @@
var breadcrumbs = _.flatten([
{ icon: "icon-home", link: '/' + OPENMRS_CONTEXT_PATH + '/index.htm' },
${ breadcrumbMiddle },
{ label: "${ ui.message(ui.escapeJs(ui.format(htmlForm.form)) )}" }
{ label: "${ ui.message(ui.encodeJavaScript(ui.format(htmlForm.form)) )}" }
]);
jq(function() {
Expand Down
Expand Up @@ -8,14 +8,14 @@
<script type="text/javascript">
window.viewHtmlForm = {
encounterId: ${ encounter.id },
returnUrl: "${ ui.escapeJs(returnUrl) }",
returnUrl: "${ ui.encodeJavaScript(returnUrl) }",
htmlFormId: ${htmlForm.id}
};
var breadcrumbs = [
{ icon: "icon-home", link: '/' + OPENMRS_CONTEXT_PATH + '/index.htm' },
{ label: "${ ui.escapeJs(returnLabel) }", link: "${ ui.escapeJs(returnUrl) }" },
{ label: "${ ui.escapeJs(ui.message("htmlformentryui.viewHtmlForm.breadcrumb", ui.message(ui.format(htmlForm.form)))) }" }
{ label: "${ ui.encodeJavaScript(returnLabel) }", link: "${ ui.encodeJavaScript(returnUrl) }" },
{ label: "${ ui.encodeJavaScript(ui.message("htmlformentryui.viewHtmlForm.breadcrumb", ui.message(ui.format(htmlForm.form)))) }" }
];
</script>

Expand Down

0 comments on commit 8119909

Please sign in to comment.