Fixed XSS vulnerability in roles field of user list (#139)

openmrs · Mar 10, 2021 · 3e43f27 · 3e43f27
1 parent 2042e09
commit 3e43f27
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/omod/src/main/webapp/admin/users/users.jsp b/omod/src/main/webapp/admin/users/users.jsp
@@ -90,7 +90,7 @@
 			<td><c:out value="${user.familyName}"/></td>
 			<td>
 				<c:if test="${fn:length(userRolesMap[user]) > 3}">
-				<span title="${userRolesMap[user]}">
+				<span title="<c:out value='${userRolesMap[user]}'/>">
 				</c:if>
 				<c:forEach var="r" items="${userRolesMap[user]}" varStatus="varStatus" end="2">
 					<c:choose>
@@ -102,14 +102,14 @@
 								<c:when test="${r != role && role != null}">
 									<span class='bold_text'>
 										<c:forEach var="inheritedRole" items="${userInheritanceLineMap[user]}" varStatus="inheritanceStatus">
-										${inheritedRole} <c:if test="${inheritanceStatus.index ne fn:length(userInheritanceLineMap[user]) - 1}"> -> </c:if>
+										<c:out value='${inheritedRole}'/> <c:if test="${inheritanceStatus.index ne fn:length(userInheritanceLineMap[user]) - 1}"> -> </c:if>
 										</c:forEach>
 									</span>
 								</c:when>
-								<c:otherwise>${r}</c:otherwise>
+								<c:otherwise><c:out value='${r}'/></c:otherwise>
 							</c:choose>
 						</c:when>
-						<c:otherwise>, ${r}</c:otherwise>
+						<c:otherwise>, <c:out value='${r}'/></c:otherwise>
 					</c:choose>
 				</c:forEach>
 				<c:if test="${fn:length(userRolesMap[user]) > 3}">