[RA-452] XSS vulnerabilities in Ref App 2.x - OpenMRS Issues

XML

Word

Printable

There is several pages in the RA that are vulnerable to XSS attacks, a vulnerability can be reproduced when creating a patient and the JS is specified in the surname and address fields, see https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698, https://talk.openmrs.org/t/xss-still-possible-in-registration-summary-edit-section-page/26729 and several other pages under 'Configure Metadata' and 'System Administration' apps.

Would be worth it to investigate other vulnerable areas in the UI

The page https://wiki.openmrs.org/x/h5UvAg should have a section documenting how to escape user-entered content using UiUtils.escape* methods, and examples
The specific vulnerability mentioned in https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698 is fixed
A new ticket exists to go through the whole 2.x UI and clean up XSS vulnerabilities

We should create subtasks for (groups of) vulnerabilities, and let people fix them in parallel.

1.	Patient names aren't sanitized, enabling malicious activity	Accepted	Daniel Kayiwa
2.	XSS on phone number field	Accepted	Daniel Kayiwa
3.	Stored XSS in Patient Address	Accepted	Daniel Kayiwa
4.	Stored XSS in name and description fields in reports	Accepted	Daniel Kayiwa
5.	Stored XSS in appointment types	Accepted	Daniel Kayiwa
6.	Stored XSS in locations	Accepted	Daniel Kayiwa
7.	Stored XSS in telephone number field	Waiting for Showcase	Unassigned
8.	Stored XSS in Diagnoses section of patient.page	Accepted	Daniel Kayiwa
9.	Reflected XSS in returnUrl parameter	Accepted	Moses Mutesasira
10.	escapeJs vulnerable to XSS	Waiting for Analysis	Unassigned
11.	XSS attack in toast messages after patient registrationion	Accepted	Wyclif Luyima
12.	XSS attack in toast messages after patient visit	Accepted	Wyclif Luyima

Estimated:

Not Specified

Remaining:

Not Specified

Logged:

Include sub-tasks