changeset 302:c0c5b50635e7

fix XSS
author Alain Mazy <am@osimis.io>
date Mon, 21 Feb 2022 15:40:51 +0100
parents e89cc1536b51
children fb7d62e3235e
files .hgignore NEWS WebApplication/viewer.js
diffstat 3 files changed, 15 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/.hgignore	Wed Jun 23 09:05:58 2021 +0200
+++ b/.hgignore	Mon Feb 21 15:40:51 2022 +0100
@@ -4,3 +4,4 @@
 *.cpp.orig
 *.h.orig
 *~
+.vscode/
--- a/NEWS	Wed Jun 23 09:05:58 2021 +0200
+++ b/NEWS	Mon Feb 21 15:40:51 2022 +0100
@@ -1,6 +1,8 @@
 Pending changes in the mainline
 ===============================
 
+* Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart Kurutac, NCC Group).  
+
 
 Version 2.7 (2020-12-10)
 ========================
--- a/WebApplication/viewer.js	Wed Jun 23 09:05:58 2021 +0200
+++ b/WebApplication/viewer.js	Mon Feb 21 15:40:51 2022 +0100
@@ -424,10 +424,18 @@
     success: function(volume) {
       if (volume.Slices.length != 0) {
         instances = volume.Slices;
-        $('#topright').html(volume.PatientID + '<br/>' +
-                            volume.PatientName + '<br/>' +
-                            volume.StudyDescription + '<br/>' +
-                            volume.SeriesDescription + '<br/>');
+        var topRightElement = $('<span>');
+        topRightElement.append($('<span>', { text: volume.PatientID}));
+        topRightElement.append($('<br/>'));
+        topRightElement.append($('<span>', { text: volume.PatientName}));
+        topRightElement.append($('<br/>'));
+        topRightElement.append($('<span>', { text: volume.StudyDescription}));
+        topRightElement.append($('<br/>'));
+        topRightElement.append($('<span>', { text: volume.SeriesDescription}));
+        topRightElement.append($('<br/>'));
+
+        $('#topright').empty();
+        $('#topright').append(topRightElement);
       }
     },
     failure: function() {