Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TRUNK-3931 wrapping unescaped ${statement} outputs in <c:out ... /> #447

Merged
merged 2 commits into from Nov 10, 2013
Merged

TRUNK-3931 wrapping unescaped ${statement} outputs in <c:out ... /> #447

merged 2 commits into from Nov 10, 2013

Conversation

MrMarvin
Copy link
Contributor

@MrMarvin MrMarvin commented Nov 9, 2013

this seems to fix jira issue #3931 ( https://tickets.openmrs.org/browse/TRUNK-3931 )

The create patient flow is allows stored XSS when using the following
name (script is executed when loading mdrtbEditPatient.form, and
potentially other pages that display the patient name).
"><script>alert("xss")</script>
...

@dkayiwa
Copy link
Member

dkayiwa commented Nov 9, 2013

Do you mind claiming the ticket and also including this pull request url on the ticket?

@MrMarvin
Copy link
Contributor Author

MrMarvin commented Nov 9, 2013

We tried this earlier today but jira didn't allow us to claim the ticket for whatever reason. However now it worked; claimed the ticket and added url as you suggested. Thanks!

@dkayiwa
Copy link
Member

dkayiwa commented Nov 10, 2013

The reason was that the ticket was in a "waiting for information" instead of "ready for work" state. I just made it ready for work such that you could claim it. Thanks for doing so promptly. :)

dkayiwa added a commit that referenced this pull request Nov 10, 2013
@dkayiwa
Merge pull request #447 from MrMarvin/fixing-TRUNK-3931
ff26467 
TRUNK-3931 wrapping unescaped ${statement} outputs in <c:out ... />
@dkayiwa dkayiwa merged commit ff26467 into openmrs:master Nov 10, 2013
@MrMarvin MrMarvin deleted the fixing-TRUNK-3931 branch November 10, 2013 18:37
RandilaP pushed a commit to RandilaP/openmrs-core that referenced this pull request Jul 31, 2023
@manuelroemer
(feat) Dynamic Offline Data API for Managing Offline Lists | Migratio…
75691e4 
…n of Offline Patients from esm-patient-list-app | Offline Fixes (openmrs#447)

* Created dynamic offline data API

* Created a new API in esm-offline which allows the management of 'offline lists' of any kind of data.
This API is further leveraged to power the offline patients in the offline tools which has been
moved from the patient list module to esm-offline-tools.

* Remove unused console.log.

* Fix offline actions not showing table. Improve patient sync handler.

* Remove unnecessary useMemo().

* Fix issue where assets are not properly precached due to a race condition with SW client claiming.

* Restore missing config file precaching.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@MrMarvin @dkayiwa