Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve 3.1.1 #202

Merged
merged 3 commits into from
Oct 1, 2024
Merged

resolve 3.1.1 #202

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
66eb999
resolve 3.1.1
slubwama Oct 1, 2024
a12db13
Keep only sanitization functionality
slubwama Oct 1, 2024
80656c4
use already established methods
slubwama Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions omod/src/main/java/org/openmrs/web/servlet/QuickReportServlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "error.null");
return;
}

if (!Context.hasPrivilege(PrivilegeConstants.GET_PATIENTS)) {
session.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "Privilege required: " + PrivilegeConstants.GET_PATIENTS);
session.setAttribute(WebConstants.OPENMRS_LOGIN_REDIRECT_HTTPSESSION_ATTR, request.getRequestURI() + "?"
Expand All @@ -70,6 +71,8 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
return;
}

reportType = sanitizeInput(reportType);

try {
Velocity.init();
}
Expand Down Expand Up @@ -359,4 +362,11 @@ private String getTemplate(String reportType) {

return template;
}

private String sanitizeInput(String input) {
if (input == null) {
return null;
}
return input.replaceAll("[<>\"'%;()&+]", "");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not like the manual sanitisation. Can't we use something like WebUtil.escapeHTML() or

openmrs-module-legacyui/omod/src/main/webapp/resources/scripts/openmrs.js

Line 690 in 5e3108a

function sanitizeHtml(str) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkayiwa resolved comment

}
}
Loading