Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3937

Stored XSS in Location Pages

    XMLWordPrintable

Details

    Description

      It's possible to put inject some Javascrip into forms on the location pages:

      To reproduce:

      1. Goto admin/locations/location.form and create new location (<script>alert(1)</script> as name).
      2. Load this form, script is ran from Parent Location dropdown box.
      admin/locations/locationTag.list - name, desc parameters
      admin/locations/hierarchy.list - previously stored location name parameter.

      Originally reported by Kevin Jacobs

      Gliffy Diagrams

        Attachments

          Activity

            People

              pmuchowski PaweĊ‚ Muchowski
              sgithens Steven Githens
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 5 hours
                  2d 5h