REPORT-492: Multiple stored XSS via Dimension Name and Descriptions (#…

…180)
openmrs · Dec 3, 2021 · 2f2492f · 2f2492f
1 parent a47a714
commit 2f2492f
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 8 deletions.
diff --git a/...a/org/openmrs/module/reporting/web/controller/portlet/ParameterPortletFormController.java b/...a/org/openmrs/module/reporting/web/controller/portlet/ParameterPortletFormController.java
@@ -24,6 +24,7 @@
 import org.openmrs.module.reporting.evaluation.parameter.Parameterizable;
 import org.openmrs.module.reporting.evaluation.parameter.ParameterizableUtil;
 import org.openmrs.web.WebConstants;
+import org.openmrs.web.WebUtil;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
 import org.springframework.util.StringUtils;
@@ -55,6 +56,11 @@ public String saveParameter(ModelMap model, HttpServletRequest request,
             @RequestParam(required=false, value="widgetConfiguration") String widgetConfiguration,
             @RequestParam(required=false, value="shortcut") String shortcut
             	) {
+
+    	currentName = WebUtil.escapeHTML(currentName);
+    	newName = WebUtil.escapeHTML(newName);
+    	label = WebUtil.escapeHTML(label);
+    	widgetConfiguration = WebUtil.escapeHTML(widgetConfiguration);
 
     	if (shortcut != null) {
     		if (shortcut.equals("date")) {

diff --git a/...openmrs/module/reporting/web/controller/portlet/ParameterizablePortletFormController.java b/...openmrs/module/reporting/web/controller/portlet/ParameterizablePortletFormController.java
@@ -18,6 +18,7 @@
 import org.openmrs.module.reporting.evaluation.parameter.Parameterizable;
 import org.openmrs.module.reporting.evaluation.parameter.ParameterizableUtil;
 import org.openmrs.web.WebConstants;
+import org.openmrs.web.WebUtil;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -62,8 +63,8 @@ public String saveBaseParameterizable(ModelMap model, HttpServletRequest request
     			throw new IllegalArgumentException("Cannot instantiate a new " + type, e);
     		}
     	}
-    	p.setName(name);
-    	p.setDescription(description);
+    	p.setName(WebUtil.escapeHTML(name));
+    	p.setDescription(WebUtil.escapeHTML(description));
     	p = ParameterizableUtil.saveParameterizable(p);
 
     	if (StringUtils.isNotEmpty(successUrl)) {

diff --git a/omod/src/main/webapp/indicators/manageDimensions.jsp b/omod/src/main/webapp/indicators/manageDimensions.jsp
@@ -59,11 +59,13 @@
 					<tr>
 						<td width="20%" nowrap="">
 							<a href="${editUrl}">
-								${dimension.name}
+								<c:out value="${dimension.name}" />
 							</a>
 						</td>
 						<td width="20%">
-							<span class="small">${dimension.description}</span>
+							<span class="small">
+								<c:out value="${dimension.description}" />
+							</span>
 						</td>
 						<td width="10%">
 							<c:forEach var="opt" items="${dimension.optionKeys}" varStatus="optStatus">

diff --git a/omod/src/main/webapp/portlets/parameter.jsp b/omod/src/main/webapp/portlets/parameter.jsp
@@ -135,15 +135,19 @@
 						</tr>
 						<c:forEach items="${model.obj.parameters}" var="p" varStatus="paramStatus">
 							<tr>
-								<td nowrap>${p.name}</td>
-								<td width="100%">${p.label}</td>
+								<td nowrap>
+									<c:out value="${p.name}" />
+								</td>
+								<td width="100%">
+									<c:out value="${p.label}" />
+								</td>
 								<td nowrap>
 									<c:choose>
 										<c:when test="${p.collectionType != null}">
-											${p.collectionType.simpleName}&lt;${p.type.simpleName}&gt;
+											<c:out value="${p.collectionType.simpleName}" /> < <c:out value="${p.type.simpleName}" /> >;
 										</c:when>
 										<c:otherwise>
-											${p.type.simpleName}
+										<c:out value="${p.type.simpleName}" />
 										</c:otherwise>
 									</c:choose>
 								</td>