Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.1.1.8 Resolve Manage Patient Identifier Sources from XSS attack #123

Merged
merged 7 commits into from
Oct 12, 2024
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 21 additions & 6 deletions omod/src/main/webapp/editIdentifierSource.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,21 @@
<%@ include file="/WEB-INF/template/header.jsp"%>
<%@ include file="localHeader.jsp"%>

<script type="text/javascript">
function beforeSubmit() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you expect this to be named sanitizeAndSubmit?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkayiwa I have just changed the method call to beforeSubmit to allow flexibility in the future. In case there is a need of more client side controls on the form before submission

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original method name was better because it described what exactly the method is doing.
It is not a good practice to sacrifice clarity for a possible future which in most cases turns out not to happen. 😊
If that future comes and we find that we need to rename/refactor, let it happen then, but not now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkayiwa corrected to original

Copy link
Member

@dkayiwa dkayiwa Oct 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other question is, did you actually test this? The reason i am asking is simply because the method name was different from the one you had for the onSubmit attribute. So i would have expected you to get errors.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkayiwa I had tested it, and before pushing, I renamed the method to beforeSubmit. That’s how it ended up breaking. I forgot that this wouldn’t rename properly, since the method call in the form tag was being recognized as a string rather than an actual method call in IntelliJ. As a result, the automatic rename didn’t work.

const baseCharacterSet = document.getElementById('baseCharacterSet');
const prefix = document.getElementById('prefix');
const suffix = document.getElementById('suffix');
const firstIdentifierBase = document.getElementById('firstIdentifierBase');

baseCharacterSet.value=html_sanitize(baseCharacterSet.value);
prefix.value=html_sanitize(prefix.value);
suffix.value=html_sanitize(suffix.value);
firstIdentifierBase.value=html_sanitize(firstIdentifierBase.value);
return true;
}
</script>

<style>
.requiredField {font-weight:bold; color:red;}
</style>
Expand All @@ -22,7 +37,7 @@
<spring:message code="idgen.general.for"/> <c:out value='${source.identifierType.name}'/>
</h3>

<frm:form modelAttribute="source" method="post" action="saveIdentifierSource.form">
<frm:form modelAttribute="source" method="post" action="saveIdentifierSource.form" onsubmit="return sanitizeAndSubmit()">
<frm:errors path="*" cssClass="error"/><br/>
<table>
<tr>
Expand Down Expand Up @@ -69,12 +84,12 @@
<span class="requiredField">*</span>
<spring:message code="idgen.baseCharacterSet" />:
</th>
<td><frm:input path="baseCharacterSet" size="80" /><frm:errors path="baseCharacterSet" cssClass="error" /></td>
<td><frm:input id="baseCharacterSet" path="baseCharacterSet" size="80" /><frm:errors path="baseCharacterSet" cssClass="error" /></td>
</tr>
<tr>
<th align="right" valign="top">
<span class="requiredField">*</span>
<spring:message code="idgen.firstIdentifierBase" />:
<spring:message id="baseCharacterSet" code="idgen.firstIdentifierBase" />:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, this seems to produce the error:

org.apache.jasper.JasperException: /WEB-INF/view/module/idgen/editIdentifierSource.jsp (line: [92], column: [5]) Attribute [id] invalid for tag [message] according to TLD

</th>
<td>
<c:choose>
Expand All @@ -84,18 +99,18 @@
<spring:message code="idgen.inUseUnableToModify" />
</c:when>
<c:otherwise>
<frm:input path="firstIdentifierBase" size="20" /><frm:errors path="firstIdentifierBase" cssClass="error" />
<frm:input id="firstIdentifierBase" path="firstIdentifierBase" size="20" /><frm:errors path="firstIdentifierBase" cssClass="error" />
</c:otherwise>
</c:choose>
</td>
</tr>
<tr>
<th align="right"><spring:message code="idgen.prefix" />:</th>
<td><frm:input path="prefix" size="10" /><frm:errors path="prefix" cssClass="error" /></td>
<td><frm:input id="prefix" path="prefix" size="10" /><frm:errors path="prefix" cssClass="error" /></td>
</tr>
<tr>
<th align="right"><spring:message code="idgen.suffix" />:</th>
<td><frm:input path="suffix" size="10" /><frm:errors path="suffix" cssClass="error" /></td>
<td><frm:input id="suffix" path="suffix" size="10" /><frm:errors path="suffix" cssClass="error" /></td>
</tr>
<tr>
<th align="right"><spring:message code="idgen.minLength" />:</th>
Expand Down
8 changes: 4 additions & 4 deletions omod/src/main/webapp/viewIdentifierSource.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -52,19 +52,19 @@
<table id="sourceTable">
<tr>
<th><spring:message code="idgen.baseCharacterSet"/>:</th>
<td>${source.baseCharacterSet}</td>
<td><c:out value='${source.baseCharacterSet}'/></td>
</tr>
<tr>
<th><spring:message code="idgen.firstIdentifierBase"/>:</th>
<td>${source.firstIdentifierBase}</td>
<td><c:out value='${source.firstIdentifierBase}'/></td>
</tr>
<tr>
<th><spring:message code="idgen.prefix"/>:</th>
<td>${source.prefix}</td>
<td><c:out value='${source.prefix}'/></td>
</tr>
<tr>
<th><spring:message code="idgen.suffix"/>:</th>
<td>${source.suffix}</td>
<td>$<c:out value='{source.suffix}'/></td>
</tr>
<tr>
<th><spring:message code="idgen.minLength"/>:</th>
Expand Down