Escape HTML inn Process of creating patient to avoid XSS

[slubwama]

No description provided.

[dkayiwa]

@slubwama were you able to reproduce the problem that was reported of doing this without going through the UI?

[slubwama]

@slubwama were you able to reproduce the problem that was reported of doing this without going through the UI?

@dkayiwa given time. Yes Got the tool still trying to learn how to use it to replicate the error. But from the look of things basing on the comments Its caused as a results of not escaping the attributes items in patient object

[dkayiwa]

@slubwama this time round, i do not feel comfortable merging pull requests, if we cannot first of all reproduce the problem and then afterwords confirm that with the changes in the pull request, the same exact steps can no longer reproduce the reported problem. Do i make sense?

[aadvik93]

Thank you for addressing the XSS concern by escaping user inputs using WebUtil.escapeHTML.

I noticed that the escaping is applied at the time of setting values (e.g., names, addresses, identifiers). Would it be preferable to handle HTML escaping at the view/rendering layer instead of during persistence, to avoid storing escaped values in the database?

Just wanted to understand the intended approach here.