GSoC with OpenMRS — Week 8 Update
For week 8, I worked with another GSoC member to patch an XSS vulnerability.
To recreate this vulnerability, I took these steps:
1. Create a privilege named <script>alert(1);</script>.
2. Delete that privilege.
3. Get the alert box showing “1”.
After working with Parth, who is another Google Summer of Code student in my team, we discovered that the fix involved changing a variable named htmlEscape from false to true. Once we did this, the attack no longer worked, so we submitted a PR that was successfully merged. Here is a link to the PR.
The Next XSS Vulnerability:
Next week I will be discovering other types of errors to fix.