[TRUNK-3935] Stored XSS via Custom Form Fields - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Could
Resolution: Fixed
Affects Version/s: OpenMRS 1.9.3
Fix Version/s: Platform 2.0.0
Component/s: None
Labels:

Complexity:
Medium

Description

When editing forms in OpenMRS, information about the form and fields (names and descriptions) are not escaped, allowing XSS attacks.

credit: Lauren

At this URL (as of 1.9.x): /openmrs/admin/forms/formEdit.form

Attachments

Activity

People

Assignee:: Sharon Varghese

Reporter:: Burke Mamlin

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2013-03-21 10:51:03 GMT

Updated:: 2015-09-17 03:30:58 GMT

Resolved:: 2015-09-17 03:30:58 GMT

Time Tracking

Estimated:

4h

Remaining:

2h

Logged:

2h