Mercurial > hg > orthanc-webviewer
changeset 302:c0c5b50635e7
fix XSS
| author | Alain Mazy <am@osimis.io> |
|---|---|
| date | Mon, 21 Feb 2022 15:40:51 +0100 |
| parents | e89cc1536b51 |
| children | fb7d62e3235e |
| files | .hgignore NEWS WebApplication/viewer.js |
| diffstat | 3 files changed, 15 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgignore Wed Jun 23 09:05:58 2021 +0200 +++ b/.hgignore Mon Feb 21 15:40:51 2022 +0100 @@ -4,3 +4,4 @@ *.cpp.orig *.h.orig *~ +.vscode/
--- a/NEWS Wed Jun 23 09:05:58 2021 +0200 +++ b/NEWS Mon Feb 21 15:40:51 2022 +0100 @@ -1,6 +1,8 @@ Pending changes in the mainline =============================== +* Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart Kurutac, NCC Group). + Version 2.7 (2020-12-10) ========================
--- a/WebApplication/viewer.js Wed Jun 23 09:05:58 2021 +0200 +++ b/WebApplication/viewer.js Mon Feb 21 15:40:51 2022 +0100 @@ -424,10 +424,18 @@ success: function(volume) { if (volume.Slices.length != 0) { instances = volume.Slices; - $('#topright').html(volume.PatientID + '<br/>' + - volume.PatientName + '<br/>' + - volume.StudyDescription + '<br/>' + - volume.SeriesDescription + '<br/>'); + var topRightElement = $('<span>'); + topRightElement.append($('<span>', { text: volume.PatientID})); + topRightElement.append($('<br/>')); + topRightElement.append($('<span>', { text: volume.PatientName})); + topRightElement.append($('<br/>')); + topRightElement.append($('<span>', { text: volume.StudyDescription})); + topRightElement.append($('<br/>')); + topRightElement.append($('<span>', { text: volume.SeriesDescription})); + topRightElement.append($('<br/>')); + + $('#topright').empty(); + $('#topright').append(topRightElement); } }, failure: function() {