Uploaded image for project: 'Reference Application'
  1. Reference Application
  2. RA-452

XSS vulnerabilities in Ref App 2.x

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      There is several pages in the RA that are vulnerable to XSS attacks, a vulnerability can be reproduced when creating a patient and the JS is specified in the surname and address fields, see https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698https://talk.openmrs.org/t/xss-still-possible-in-registration-summary-edit-section-page/26729 and several other pages under 'Configure Metadata' and 'System Administration' apps.

      There is more vulnerabilities mentioned at http://packetstormsecurity.com/files/128748

      Would be worth it to investigate other vulnerable areas in the UI

      Acceptance Criteria

      1. The page https://wiki.openmrs.org/x/h5UvAg should have a section documenting how to escape user-entered content using UiUtils.escape* methods, and examples
      2. The specific vulnerability mentioned in https://talk.openmrs.org/t/xss-vulnerability-in-openmrs-2-x-ui/698 is fixed
      3. A new ticket exists to go through the whole 2.x UI and clean up XSS vulnerabilities

      Process Notes

      We should create subtasks for (groups of) vulnerabilities, and let people fix them in parallel.

        Attachments

        1. 2020-04-07_14-23_1.png
          2020-04-07_14-23_1.png
          176 kB
        2. 2020-04-07_14-23.png
          2020-04-07_14-23.png
          17 kB

          Issue Links

            Activity

              People

              Assignee:
              samuel34 Samuel Male
              Reporter:
              wyclif Wyclif Luyima
              Votes:
              3 Vote for this issue
              Watchers:
              16 Start watching this issue

                Dates

                Created:
                Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 5 hours
                  5h