Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trunk 3940 xss in concepts #451

Merged
merged 23 commits into from Nov 18, 2013
Merged

Trunk 3940 xss in concepts #451

merged 23 commits into from Nov 18, 2013

Conversation

MrMarvin
Copy link
Contributor

This bunch of commits should fix TRUNK-3949 and a lot more XSS vulnerabilities altogether.

  • Adds some c:out tags around String type attributes of Concept and related models
  • adds implicit HTML escaping for openmrs:format method for concepts + a new unit test for that
  • enables global html escaping for JSPs. This wasn't done before because it used to break a lot of on-purpose html outputs. However, these uses have been modified to be excepted by specifying htmlEscape="false".

To be honest, I am not 100% sure if this does not influence someone else code in non-core modules but personally I think the white-listing vs. try-to-blacklist-everythingis the right way to go, especially from a security point of view!

Marv Cool added 23 commits November 15, 2013 23:39
adds more <c:out tags
8376dac 
wraps usage of multiple concept and drug related attributes
in <c:out ...> tags
enables use of global htmlEscape in JSPs
f115042
makes fix.error message html un-escaped
0871263
makes welcomeUser message html un-escaped
ac2cbda
makes general.changes.toSave message html un-escaped
3827800
makes welcome message html un-escaped
cb72448
makes Alert.unreadAlert message html un-escaped
69454cc
makes Alert.unreadAlerts message html un-escaped
c0a6b26
makes Patient.merge.warning message html un-escaped
a138720
makes Patient.delete.warningMessage message html un-escaped
e527aef
makes Person.search.similarPersonInstructions message html un-escaped
471566e
makes Person.delete.warningMessage message html un-escaped
2c6bfb7
makes PersonAttributeType.java.util.Date.warning message html un-escaped
9aa7896
makes Role.inheritedRoles.description message html un-escaped
639196d
makes Role.inheritingRoles.description message html un-escaped
fbac0fa
makes Module.help.findMore message html un-escaped
48f4590
makes Scheduler.list.runsEvery message html un-escaped
98cefe5
makes Scheduler.list.from message html un-escaped
c12b027
makes Scheduler.list.startingOn message html un-escaped
8ca9824
makes Hl7InArchive.migrate.warning.message message html un-escaped
c0a1902
makes AddressTemplate.copy.form.wiki message html un-escaped
c3891a1
fixes error in "general.changes.toSave message html un-escaped" commit
d09463f
fixes error in "welcome message html un-escaped" commit
48dd468
dkayiwa added a commit that referenced this pull request Nov 18, 2013
@dkayiwa
Merge pull request #451 from openmrs-codejam-hamburg/TRUNK-3940-XSS-i…
d31a7df 
…n-concepts

Trunk 3940 xss in concepts
@dkayiwa dkayiwa merged commit d31a7df into openmrs:master Nov 18, 2013
RandilaP pushed a commit to RandilaP/openmrs-core that referenced this pull request Jul 31, 2023
@ibacher
Remove source-maps in production builds (openmrs#451)
5097d7b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@MrMarvin @dkayiwa