Do not mess up urls

openmrs · Nov 19, 2024 · dc71fea · dc71fea
1 parent 1819a49
commit dc71fea
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 5 deletions.
diff --git a/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java b/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java
@@ -12,7 +12,6 @@
 import java.util.Enumeration;
 import java.util.List;
 
-import org.owasp.encoder.Encode;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.support.DefaultMultipartHttpServletRequest;
@@ -31,7 +30,7 @@ public String getParameter(String name) {
 			return null;
 		}
 
-		return Encode.forHtmlContent(value);
+		return XSSUtil.sanitize(this, name, value);
 	}
 
 	@Override
@@ -45,7 +44,7 @@ public String[] getParameterValues(String name) {
 		int count = values.length;
 		String[] encodedValues = new String[count];
 		for (int i = 0; i < count; i++) {
-			encodedValues[i] = Encode.forHtmlContent(values[i]);
+			encodedValues[i] = XSSUtil.sanitize(this, name, values[i]);
 		}
 
 		return encodedValues;

diff --git a/omod/src/main/java/org/openmrs/web/xss/XSSRequestWrapper.java b/omod/src/main/java/org/openmrs/web/xss/XSSRequestWrapper.java
@@ -37,7 +37,7 @@ public String[] getParameterValues(String parameter) {
 		int count = values.length;
 		String[] encodedValues = new String[count];
 		for (int i = 0; i < count; i++) {
-			encodedValues[i] = Encode.forHtml(values[i]);
+			encodedValues[i] = XSSUtil.sanitize(this, parameter, values[i]);
 		}
 
 		return encodedValues;
@@ -51,7 +51,7 @@ public String getParameter(String name) {
 			return null;
 		}
 
-		return Encode.forHtml(value);
+		return XSSUtil.sanitize(this, name, value);
 	}
 
 	@Override

diff --git a/omod/src/main/java/org/openmrs/web/xss/XSSUtil.java b/omod/src/main/java/org/openmrs/web/xss/XSSUtil.java
@@ -0,0 +1,28 @@
+/**
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.web.xss;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.encoder.Encode;
+
+public class XSSUtil {
+
+	public static String sanitize(HttpServletRequest request, String name, String value) {
+		String queryString = request.getQueryString();
+		if (StringUtils.isNotBlank(queryString)
+		        && (queryString.contains("&" + name + "=") || queryString.contains("?" + name + "="))) {
+			return Encode.forUri(value);
+		}
+
+		return Encode.forHtml(value);
+	}
+}