[RA-452] XSS vulnerabilities in Ref App 2.x - OpenMRS Issues

XML

Word

Printable

There is several pages in the RA that are vulnerable to XSS attacks, a vulnerability can be reproduced when creating a patient and the JS is specified in the surname and address fields, see https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698, https://talk.openmrs.org/t/xss-still-possible-in-registration-summary-edit-section-page/26729 and several other pages under 'Configure Metadata' and 'System Administration' apps.

Would be worth it to investigate other vulnerable areas in the UI

The page https://wiki.openmrs.org/x/h5UvAg should have a section documenting how to escape user-entered content using UiUtils.escape* methods, and examples
The specific vulnerability mentioned in https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698 is fixed
A new ticket exists to go through the whole 2.x UI and clean up XSS vulnerabilities

We should create subtasks for (groups of) vulnerabilities, and let people fix them in parallel.

1.	Patient names aren't sanitized, enabling malicious activity	Approved	Daniel Kayiwa
2.	XSS on phone number field	Approved	Daniel Kayiwa
3.	Stored XSS in Patient Address	Approved	Daniel Kayiwa
4.	Stored XSS in name and description fields in reports	Approved	Daniel Kayiwa
5.	Stored XSS in appointment types	Approved	Daniel Kayiwa
6.	Stored XSS in locations	Approved	Daniel Kayiwa
7.	Stored XSS in telephone number field	Approved	Ian Bacher
8.	Stored XSS in Diagnoses section of patient.page	Approved	Daniel Kayiwa
9.	Reflected XSS in returnUrl parameter	Approved	Moses Mutesasira
10.	escapeJs vulnerable to XSS	Ready for Work	Unassigned
11.	XSS attack in toast messages after patient registrationion	Approved	Wyclif Luyima
12.	XSS attack in toast messages after patient visit	Approved	Wyclif Luyima
13.	Reflected XSS reported by Sarah Elder	Approved	Ian Bacher
14.	Stored XSS in Appointment Scheduling UI	Approved	Ian Bacher

Estimated:

Not Specified

Remaining:

Not Specified

Logged:

Include sub-tasks