Fix for 3.1.1.3 (#191)

omod/src/main/java/org/openmrs/web/dwr/DWRPatientService.java

@@ -118,11 +118,7 @@ public Collection<Object> findBatchOfPatients(String searchValue, boolean includ
 
 		patientList = new Vector<Object>(patients.size());
 		for (Patient p : patients) {
-			PatientListItem PatientLI = new PatientListItem(p, searchValue);
-			PatientListItem htmlSafePatientLI = PatientLI;
-			htmlSafePatientLI.setGivenName(WebUtil.escapeHTML(PatientLI.getGivenName()));
-			htmlSafePatientLI.setFamilyName(WebUtil.escapeHTML(PatientLI.getFamilyName()));
-			patientList.add(htmlSafePatientLI);
+			patientList.add(new PatientListItem(p, searchValue));
 		}
 		//no results found and a number was in the search --
 		//should check whether the check digit is correct.

omod/src/main/java/org/openmrs/web/dwr/PatientListItem.java

@@ -13,6 +13,7 @@
 import org.apache.commons.logging.LogFactory;
 import org.openmrs.Patient;
 import org.openmrs.PatientIdentifier;
+import org.openmrs.web.WebUtil;
 
 import java.util.Set;
 
@@ -44,14 +45,14 @@ public PatientListItem(Patient patient, String searchName) {
 
 			PatientIdentifier patientIdentifier = patient.getPatientIdentifier();
 			if (patientIdentifier != null) {
-				identifier = patientIdentifier.getIdentifier();
+				identifier = WebUtil.escapeHTML(patientIdentifier.getIdentifier());
 				// get patient's identifiers
 				for (PatientIdentifier pi : patient.getIdentifiers()) {
 					if (!pi.getIdentifier().equals(identifier)) {
 						if (!"".equals(otherIdentifiers)) {
 							otherIdentifiers += ",";
 						}
-						otherIdentifiers += " " + pi.getIdentifier();
+						otherIdentifiers += " " + WebUtil.escapeHTML(pi.getIdentifier());
 					}
 				}
 			}

omod/src/main/java/org/openmrs/web/dwr/PersonListItem.java

@@ -118,15 +118,16 @@ public PersonListItem(Person person) {
 			boolean first = true;
 			for (PersonName pn : person.getNames()) {
 				if (first) {
-					familyName = pn.getFamilyName();
-					middleName = pn.getMiddleName();
-					givenName = pn.getGivenName();
+					familyName = WebUtil.escapeHTML(pn.getFamilyName());
+					middleName = WebUtil.escapeHTML(pn.getMiddleName());
+					givenName = WebUtil.escapeHTML(pn.getGivenName());
 					first = false;
 				} else {
 					if (!StringUtils.isBlank(otherNames)) {
 						otherNames += ",";
 					}
-					otherNames += " " + pn.getGivenName() + " " + pn.getMiddleName() + " " + pn.getFamilyName();
+					otherNames += " "
+					        + WebUtil.escapeHTML(pn.getGivenName() + " " + pn.getMiddleName() + " " + pn.getFamilyName());
 				}
 			}
 
@@ -144,7 +145,7 @@ public PersonListItem(Person person) {
 
 			// add in the person attributes
 			for (PersonAttribute attribute : person.getActiveAttributes()) {
-				attributes.put(attribute.getAttributeType().getName(), attribute.toString());
+				attributes.put(attribute.getAttributeType().getName(), WebUtil.escapeHTML(attribute.toString()));
 			}
 
 		}
@@ -173,16 +174,16 @@ public PersonListItem(Person person, String searchName) {
 			for (PersonName personName : person.getNames()) {
 				fullName = personName.getFullName();
 				if (!foundABestMatch && containsAll(fullName, searchNames)) {
-					familyName = personName.getFamilyName();
-					givenName = personName.getGivenName();
-					middleName = personName.getMiddleName();
+					familyName = WebUtil.escapeHTML(personName.getFamilyName());
+					givenName = WebUtil.escapeHTML(personName.getGivenName());
+					middleName = WebUtil.escapeHTML(personName.getMiddleName());
 					foundABestMatch = true;
 					continue; // process the next name
 				}
 				if (!StringUtils.isBlank(otherNames)) {
 					otherNames += ",";
 				}
-				otherNames += " " + fullName;
+				otherNames += " " + WebUtil.escapeHTML(fullName);
 			}
 		}
 	}