Headline
CVE-2022-4727: RA1865 - Fixing reflected XSS in the notes section by varsha5595 · Pull Request #39 · openmrs/openmrs-module-appointmentscheduling
A vulnerability, which was classified as problematic, was found in OpenMRS Appointment Scheduling Module up to 1.16.x. This affects the function getNotes of the file api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java of the component Notes Handler. The manipulation of the argument notes leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.17.0 is able to address this issue. The name of the patch is 2ccbe39c020809765de41eeb8ee4c70b5ec49cc8. It is recommended to upgrade the affected component. The identifier VDB-216741 was assigned to this vulnerability.
Description of what I changed
@isears
Added input sanitization for Notes section in the Appoint Scheduling Form.
Issue I worked on
This fix ensures iframes are not inserted in the Notes section while scheduling appointments. The bug can be reproduced by following the steps mentioned here.
Link to ticket
https://issues.openmrs.org/browse/RA-1865
Checklist: I completed these to help reviewers :)
[x ] My IDE is configured to follow the code style of this project.
No? Unsure? -> configure your IDE, format the code and add the changes with git add . && git commit --amend
[x ] I have added tests to cover my changes. (If you refactored
existing code that was well tested you do not have to add tests)No? -> write tests and add them to this commit git add . && git commit --amend
[ x] I ran mvn clean package right before creating this pull request and
added all formatting changes to my commit.No? -> execute above command
[x ] All new and existing tests passed.
No? -> figure out why and add the fix to your commit. It is your responsibility to make sure your code works.
[x ] My pull request is based on the latest changes of the master branch.
No? Unsure? -> execute command git pull --rebase upstream master