ADDR-136: Escape Characters to avoid Stored XSS Attack (#44)

* resolve 3.1.1.1 by Sanitizing before submit to resolve * remove already existing file * rename method
openmrs · Oct 15, 2024 · d5707f2 · d5707f2
1 parent b46e96c
commit d5707f2
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/omod/src/main/webapp/admin/editAddressHierarchyLevel.jsp b/omod/src/main/webapp/admin/editAddressHierarchyLevel.jsp
@@ -28,8 +28,14 @@
 			else {
 				$j('#required').attr('value', "false");
 			} 
-		});		
+		});
 	});
+
+function sanitizeAndSubmit() {
+	const nameField = document.getElementById('fieldTypeName');
+	nameField.value=html_sanitize(nameField.value);
+	return true; 
+}
 -->
 </script>
 <!-- END JQUERY -->
@@ -52,15 +58,15 @@
 <div><b class="boxHeader"><spring:message code="addresshierarchy.admin.editLevel" /></b>
 
 
-<form id="editAddressHierarchyLevel" action="updateAddressHierarchyLevel.form" method="post">
+<form id="editAddressHierarchyLevel" action="updateAddressHierarchyLevel.form" method="post" onSubmit="return sanitizeAndSubmit()">
 <input type="hidden" name="levelId" value="<c:out value='${level.id}'/>"/>
 
 <table cellspacing="0" cellpadding="0" class="box">
 
 <tr>
 	<td class="tableCell" style="font-weight:bold"><nobr><spring:message code="general.name" />:</nobr></td>
 	<td class="tableCell">
-		<input type="text" name="name" value="<c:out value='${level.name}'/>"/>
+		<input type="text" id="fieldTypeName" name="name" value="<c:out value='${level.name}'/>"/>
 	</td>
 	<td class="tableCell" width="60%">&nbsp;</td>
 </tr>