Details

    • Complexity:
      Low

      Description

      There is several pages in the RA that are vulnerable to XSS attacks, a vulnerability can be reproduced when creating a patient and the JS is specified in the surname and address fields, see https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698 and several other pages under 'Configure Metadata' and 'System Administration' apps.

      There is more vulnerabilities mentioned at http://packetstormsecurity.com/files/128748

      Would be worth it to investigate other vulnerable areas in the UI

      Acceptance Criteria

      1. The page https://wiki.openmrs.org/x/h5UvAg should have a section documenting how to escape user-entered content using UiUtils.escape* methods, and examples
      2. The specific vulnerability mentioned in https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698 is fixed
      3. A new ticket exists to go through the whole 2.x UI and clean up XSS vulnerabilities

      Process Notes

      We should create subtasks for (groups of) vulnerabilities, and let people fix them in parallel.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                wyclif Wyclif Luyima
              • Votes:
                1 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 5 hours
                  5h