Merge pull request #42 from rkorytkowski/escapehtml

Escaping html on all admin pages
openmrs · Jul 18, 2024 · 51130d2 · 51130d2
2 parents 8299adb + a3773d8
commit 51130d2
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 13 deletions.
diff --git a/omod/src/main/webapp/admin/editAddressHierarchyLevel.jsp b/omod/src/main/webapp/admin/editAddressHierarchyLevel.jsp
@@ -53,14 +53,14 @@
 
 
 <form id="editAddressHierarchyLevel" action="updateAddressHierarchyLevel.form" method="post">
-<input type="hidden" name="levelId" value="${level.id}"/>
+<input type="hidden" name="levelId" value="<c:out value='${level.id}'/>"/>
 
 <table cellspacing="0" cellpadding="0" class="box">
 
 <tr>
  <td class="tableCell" style="font-weight:bold"><nobr><spring:message code="general.name" />:</nobr></td>
  <td class="tableCell">
- <input type="text" name="name" value="${level.name}"/>
+ <input type="text" name="name" value="<c:out value='${level.name}'/>"/>
  </td>
  <td class="tableCell" width="60%">&nbsp;</td>
 </tr>
@@ -72,8 +72,8 @@
  <option value=""></option>
  <c:forEach var="field" items="${addressFields}">
  <c:if test="${nameMappings[field.name] != null}">
- <option value="${field.name}" <c:if test="${level.addressField == field}">selected</c:if> >
- <spring:message code="${nameMappings[field.name]}"/> (${field.name})
+ <option value="<c:out value="${field.name}"/> <c:if test="${level.addressField == field}">selected</c:if> >
+ <spring:message code="${nameMappings[field.name]}"/> (<c:out value="${field.name}"/>)
  </option>
  </c:if>
  </c:forEach>
@@ -86,7 +86,7 @@
 <tr>
  <td class="tableCell" style="font-weight:bold"><nobr><spring:message code="addresshierarchy.admin.required" />:</nobr></td>
  <td class="tableCell">
- <input type="hidden" id="required" name="required" value="${level.required}"/>
+ <input type="hidden" id="required" name="required" value="<c:out value='${level.required}'/>"/>
  <input type="checkbox" id="requiredCheckbox" name="requiredCheckbox" value="true" <c:if test="${level.required == true}">checked</c:if> />
  </td>
 </tr>

diff --git a/omod/src/main/webapp/admin/manageAddressHierarchy.jsp b/omod/src/main/webapp/admin/manageAddressHierarchy.jsp
@@ -40,12 +40,12 @@
  <c:forEach items="${levels}" var="level" varStatus="i">
  <tr>
  <td class="tableCell">${i.count}</td>
- <td class="tableCell">${level.name}</td>
- <td class="tableCell">${sampleEntries[i.count-1][0]} (${sampleEntries[i.count-1][1]} <spring:message code="addresshierarchy.admin.totalEntries"/>)</td>
+ <td class="tableCell"><c:out value='${level.name}'/></td>
+ <td class="tableCell"><c:out value='${sampleEntries[i.count-1][0]}'/> (<c:out value='${sampleEntries[i.count-1][1]}'/> <spring:message code="addresshierarchy.admin.totalEntries"/>)</td>
  <td class="tableCell">
  <c:choose>
  <c:when test="${! empty level.addressField}">
- <spring:message code="${nameMappings[level.addressField.name]}"/> (${level.addressField.name})
+ <spring:message code="${nameMappings[level.addressField.name]}"/> (<c:out value="${level.addressField.name}"/>)
  </c:when>
  <c:otherwise>
  (<spring:message code="general.none"/>)
@@ -61,13 +61,13 @@
  </c:if>
  </td>
  <td class="tableCell">
- <a href="${pageContext.request.contextPath}/module/addresshierarchy/admin/editAddressHierarchyLevel.form?levelId=${level.id}">
+ <a href="${pageContext.request.contextPath}/module/addresshierarchy/admin/editAddressHierarchyLevel.form?levelId=<c:out value='${level.id}'/>">
  <spring:message code="general.edit" />
  </a>
  <!-- only show delete option for last element, and only if it doesn't have any sample entries -->
  <c:if test="${i.count == fn:length(levels) && sampleEntries[i.count-1][1] == 0}">
  &nbsp;|&nbsp;
- <a href="${pageContext.request.contextPath}/module/addresshierarchy/admin/deleteAddressHierarchyLevel.form?levelId=${level.id}"
+ <a href="${pageContext.request.contextPath}/module/addresshierarchy/admin/deleteAddressHierarchyLevel.form?levelId=<c:out value='${level.id}'/>"
  onclick="return confirm('<spring:message code="addresshierarchy.admin.confirmDeleteLevel"/>');">
  <spring:message code="general.delete" />
  </a>
@@ -78,7 +78,7 @@
  </c:forEach>
  <tr>
  <td class="tableCell" colspan="4">
- <a href="${pageContext.request.contextPath}/module/addresshierarchy/admin/editAddressHierarchyLevel.form">
+  <a href="${pageContext.request.contextPath}/module/addresshierarchy/admin/editAddressHierarchyLevel.form">
  <spring:message code="addresshierarchy.admin.addLevel" />
  </a>
  </td>
@@ -103,13 +103,13 @@
 
 <tr>
  <td class="tableCell" style="font-weight:bold"><nobr><spring:message code="addresshierarchy.admin.delimiter" />:</nobr></td>
- <td class="tableCell"><input type="text" name="delimiter" size="1" value="${delimiter}" /> <spring:message code="addresshierarchy.admin.delimiter.warning" /></td>
+ <td class="tableCell"><input type="text" name="delimiter" size="1" value="<c:out value='${delimiter}'/>" /> <spring:message code="addresshierarchy.admin.delimiter.warning" /></td>
  <td class="tableCell">&nbsp;</td>
 </tr>
 
 <tr>
  <td class="tableCell" style="font-weight:bold"><nobr><spring:message code="addresshierarchy.admin.userGeneratedIdDelimiter" />:</nobr></td>
- <td class="tableCell"><input type="text" name="userGeneratedIdDelimiter" size="1" value="${userGeneratedIdDelimiter}" /> <spring:message code="addresshierarchy.admin.userGeneratedIdDelimiter.warning" /></td>
+ <td class="tableCell"><input type="text" name="userGeneratedIdDelimiter" size="1" value="<c:out value='${userGeneratedIdDelimiter}'/>" /> <spring:message code="addresshierarchy.admin.userGeneratedIdDelimiter.warning" /></td>
  <td class="tableCell">&nbsp;</td>
 </tr>