# HG changeset patch
# User Alain Mazy <am@osimis.io>
# Date 1645454451 -3600
# Node ID c0c5b50635e727ffc397b981de0564ce7a3b10eb
# Parent  e89cc1536b51226a032d9dabab081e3f87857548
fix XSS

diff -r e89cc1536b51 -r c0c5b50635e7 .hgignore
--- a/.hgignore	Wed Jun 23 09:05:58 2021 +0200
+++ b/.hgignore	Mon Feb 21 15:40:51 2022 +0100
@@ -4,3 +4,4 @@
 *.cpp.orig
 *.h.orig
 *~
+.vscode/
diff -r e89cc1536b51 -r c0c5b50635e7 NEWS
--- a/NEWS	Wed Jun 23 09:05:58 2021 +0200
+++ b/NEWS	Mon Feb 21 15:40:51 2022 +0100
@@ -1,6 +1,8 @@
 Pending changes in the mainline
 ===============================
 
+* Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart Kurutac, NCC Group).  
+
 
 Version 2.7 (2020-12-10)
 ========================
diff -r e89cc1536b51 -r c0c5b50635e7 WebApplication/viewer.js
--- a/WebApplication/viewer.js	Wed Jun 23 09:05:58 2021 +0200
+++ b/WebApplication/viewer.js	Mon Feb 21 15:40:51 2022 +0100
@@ -424,10 +424,18 @@
     success: function(volume) {
       if (volume.Slices.length != 0) {
         instances = volume.Slices;
-        $('#topright').html(volume.PatientID + '<br/>' +
-                            volume.PatientName + '<br/>' +
-                            volume.StudyDescription + '<br/>' +
-                            volume.SeriesDescription + '<br/>');
+        var topRightElement = $('<span>');
+        topRightElement.append($('<span>', { text: volume.PatientID}));
+        topRightElement.append($('<br/>'));
+        topRightElement.append($('<span>', { text: volume.PatientName}));
+        topRightElement.append($('<br/>'));
+        topRightElement.append($('<span>', { text: volume.StudyDescription}));
+        topRightElement.append($('<br/>'));
+        topRightElement.append($('<span>', { text: volume.SeriesDescription}));
+        topRightElement.append($('<br/>'));
+
+        $('#topright').empty();
+        $('#topright').append(topRightElement);
       }
     },
     failure: function() {