Skip to content

security: Fix XSS vulnerability in SearchDemographicAutoComplete2Action #250

New issue
New issue
Open
security
#296
#280
Open
security: Fix XSS vulnerability in SearchDemographicAutoComplete2Action#250
security
#296
#280
Assignees
yingbullmohamadSaleh82
Labels
help wantedExtra attention is neededup-for-grabsInteresting, ready for community contributors
@yingbull

Description

@yingbull
yingbull
opened on Feb 5, 2026

Summary

The SearchDemographicAutoComplete2Action endpoint uses incorrect escaping for HTML context, creating an XSS vulnerability when results are rendered client-side.

Vulnerability Details

File: src/main/java/io/github/carlos_emr/carlos/commn/web/SearchDemographicAutoComplete2Action.java

Issue 1: Wrong escaping method (Line 126)

// Current - escapes for Java strings, NOT HTML
h.put("formattedName", StringEscapeUtils.escapeJava(demo.getFormattedName().replaceAll("\"", "\\\\\"")));

escapeJava() only escapes: \, ", ', newlines, tabs

It does NOT escape: <, >, &

Attack vector: Patient name <img src=x onerror=alert(document.cookie)> passes through unchanged.

Issue 2: No escaping on provider names (Lines 136-137, 151, 156, 161)

// No escaping at all
h.put("providerName", p.getSurname() + ", " + p.getFirstName());

Issue 3: Manual JSON building (Lines 184-202)

The formatJSON() method builds JSON via string concatenation instead of using Jackson ObjectMapper, which could allow JSON injection.

Fix

Replace StringEscapeUtils.escapeJava() with OWASP Encode.forHtml() (already in project dependencies):

import org.owasp.encoder.Encode;

// Line 126
h.put("formattedName", Encode.forHtml(demo.getFormattedName()));

// Line 128 - status could also contain user input
h.put("status", Encode.forHtml(demo.getPatientStatus()));

// Lines 136-137
if (p.getSurname() != null && p.getFirstName() != null) {
    h.put("providerName", Encode.forHtml(p.getSurname() + ", " + p.getFirstName()));
}

// Lines 151, 156, 161 - same pattern for cust*Name fields
h.put("cust1Name", Encode.forHtml(p.getSurname() + ", " + p.getFirstName()));

Also consider refactoring formatJSON() to use Jackson ObjectMapper for proper JSON encoding.

Impact

  • Severity: Medium-High
  • Attack requires: Ability to set patient/provider names (admin or data import)
  • Affected: Any page using this autocomplete endpoint with innerHTML rendering

Testing

  1. Create test patient with name: Test<script>alert('XSS')</script>User
  2. Use any autocomplete field that calls this endpoint
  3. Verify the script does NOT execute after fix

Related

Generated with Claude Code

Metadata

Metadata

Assignees

Labels

help wantedExtra attention is neededup-for-grabsInteresting, ready for community contributors

Type

security

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions