Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.1.1.8 Resolve Manage Patient Identifier Sources from XSS attack #123

Merged
merged 7 commits into from
Oct 12, 2024
Merged

3.1.1.8 Resolve Manage Patient Identifier Sources from XSS attack #123

merged 7 commits into from
Oct 12, 2024

Conversation

slubwama
Copy link
Contributor

No description provided.

@slubwama slubwama requested a review from dkayiwa October 10, 2024 19:00
@slubwama slubwama marked this pull request as draft October 10, 2024 19:15
@dkayiwa
Copy link
Member

dkayiwa commented Oct 10, 2024

@slubwama is this still draft because you are not yet done with it?

@slubwama slubwama marked this pull request as ready for review October 10, 2024 23:06
@slubwama
Copy link
Contributor Author

slubwama commented Oct 10, 2024
edited
Loading

@slubwama is this still draft because you are not yet done with it?

@dkayiwa Now its ready

@ibacher
Copy link
Member

ibacher commented Oct 10, 2024

We probably also need to be sure to escape things on the display end too. Otherwise, it remains trivial to, e.g., submit the request via the REST API…

@slubwama
Copy link
Contributor Author

slubwama commented Oct 11, 2024
edited
Loading

We probably also need to be sure to escape things on the display end too. Otherwise, it remains trivial to, e.g., submit the request via the REST API…

We probably also need to be sure to escape things on the display end too. Otherwise, it remains trivial to, e.g., submit the request via the REST API…

@ibacher Done

dkayiwa
dkayiwa reviewed Oct 11, 2024
View reviewed changes
omod/src/main/webapp/editIdentifierSource.jsp Outdated
@@ -6,6 +6,21 @@
<%@ include file="/WEB-INF/template/header.jsp"%>
<%@ include file="localHeader.jsp"%>

<script type="text/javascript">
function beforeSubmit() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you expect this to be named sanitizeAndSubmit?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkayiwa I have just changed the method call to beforeSubmit to allow flexibility in the future. In case there is a need of more client side controls on the form before submission

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original method name was better because it described what exactly the method is doing.
It is not a good practice to sacrifice clarity for a possible future which in most cases turns out not to happen. 😊
If that future comes and we find that we need to rename/refactor, let it happen then, but not now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkayiwa corrected to original

Copy link
Member

@dkayiwa dkayiwa Oct 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other question is, did you actually test this? The reason i am asking is simply because the method name was different from the one you had for the onSubmit attribute. So i would have expected you to get errors.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkayiwa I had tested it, and before pushing, I renamed the method to beforeSubmit. That’s how it ended up breaking. I forgot that this wouldn’t rename properly, since the method call in the form tag was being recognized as a string rather than an actual method call in IntelliJ. As a result, the automatic rename didn’t work.

@dkayiwa dkayiwa merged commit 3520f0e into openmrs:master Oct 12, 2024
1 check passed
ibacher
ibacher reviewed Oct 22, 2024
View reviewed changes
omod/src/main/webapp/editIdentifierSource.jsp
</tr>
<tr>
<th align="right" valign="top">
<span class="requiredField">*</span>
<spring:message code="idgen.firstIdentifierBase" />:
<spring:message id="baseCharacterSet" code="idgen.firstIdentifierBase" />:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, this seems to produce the error:

org.apache.jasper.JasperException: /WEB-INF/view/module/idgen/editIdentifierSource.jsp (line: [92], column: [5]) Attribute [id] invalid for tag [message] according to TLD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibacher ibacher ibacher approved these changes

@dkayiwa dkayiwa dkayiwa left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@slubwama @dkayiwa @ibacher