[TRUNK-3937] Stored XSS in Location Pages - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Could
Resolution: Fixed
Affects Version/s: OpenMRS 1.9.0
Fix Version/s: Platform 1.11.0, Platform 2.0.0
Component/s: None
Labels:

Complexity:
Medium

Description

It's possible to put inject some Javascrip into forms on the location pages:

To reproduce:

1. Goto admin/locations/location.form and create new location (<script>alert(1)</script> as name).
2. Load this form, script is ran from Parent Location dropdown box.
admin/locations/locationTag.list - name, desc parameters
admin/locations/hierarchy.list - previously stored location name parameter.

Originally reported by Kevin Jacobs

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

TRUNK-3937.patch
4 kB
2013-04-22 01:16:18 GMT

Activity

People

Assignee:: Paweł Muchowski

Reporter:: Steven Githens

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2013-03-21 10:53:37 GMT

Updated:: 2018-10-26 16:59:04 GMT

Resolved:: 2015-02-09 15:17:35 GMT

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2d 5h