Active list plugin #1855
Draft
Active list plugin #1855
+7,871
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…into active_list_plugin
Reusable across screens and handling users at different levels in the pyramid
…nvironment variable
…ted or received patients
…state of the active list per month
…xcel import when exporting records to instances
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| console.log(result) | ||
|
|
||
| renderTable(result, dataUrl) // Implement this function based on your data structure | ||
| excelLink.href = excelUrl |
Check failure
Code scanning / CodeQL
DOM text reinterpreted as HTML High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
General Fix:
The best way to mitigate this vulnerability is to ensure that both selectedMonth and selectedMode values are validated and/or sanitized before they are interpolated into URLs such as excelUrl and subsequently set into the DOM.
Detailed Fix:
- For both
monthSelectandmodeSelect, only allow values that are present in their corresponding options (i.e., by validating against the option values that exist in the select). - Before constructing the URL and assigning it to any DOM element, explicitly validate and sanitize the input values.
- Alternatively, use a client-side escaping function to ensure that these values cannot inject unwanted characters, especially characters such as
&,?,#,/, and (critically) cannot introduce new protocol schemes or JavaScript snippets. - Update the code at the points where
selectedMonthandselectedModeare read (lines 18 and 19) and before their use in URLs (lines 30/31/32/39/67).
What is needed:
- A function that validates values against the corresponding
<select>'s options (ideally generic to both elements). - Sanitize or otherwise refuse if the value is not present in the allowed list.
- Use the validated value for building URLs.
Suggested changeset
1
plugins/active_list/static/patient_list_dynamic.js
| @@ -11,12 +11,23 @@ | ||
| async function fetchPatientData () { | ||
| hideData() // Clear previous results and hide elements | ||
|
|
||
| // Helper to safely get select value from allowed options only | ||
| function getSafeSelectValue(selectEl) { | ||
| const value = selectEl.value; | ||
| for (let i = 0; i < selectEl.options.length; ++i) { | ||
| if (selectEl.options[i].value === value) { | ||
| return value; | ||
| } | ||
| } | ||
| return ''; | ||
| } | ||
|
|
||
| // Find the ID of the most specific selected org unit | ||
| let finalOrgUnitId = null | ||
|
|
||
| // Get other filter values | ||
| const selectedMonth = monthSelect.value | ||
| const selectedMode = modeSelect.value | ||
| const selectedMonth = getSafeSelectValue(monthSelect) | ||
| const selectedMode = getSafeSelectValue(modeSelect) | ||
|
|
||
| // Only fetch data if a month and at least one org unit level (or the intended level) is selected | ||
| if (!selectedMonth || !selectedOrgUnit) { |
Copilot is powered by AI and may make mistakes. Always verify output.
|
|
||
| var excel_link = $('#excel_link') | ||
|
|
||
| excel_link.attr('href', url + '&format=xls') |
Check failure
Code scanning / CodeQL
DOM text reinterpreted as HTML High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
To fix the problem, we should ensure all user-controlled values incorporated into URLs that are assigned to HTML attributes (such as href) are properly escaped or validated to prevent malicious payloads, especially those that might lead to XSS (e.g., via javascript:). The best approach here is to:
- Use functions to strictly validate and encode the relevant, variable user input before placing it in URLs.
- Specifically, for URLs, use
encodeURIComponentfor all dynamically inserted path/query parts, so that no meta-characters can break out and create a dangerous attribute value. - In this code, we should ensure that
selectedMonthandselectedModeare both encoded viaencodeURIComponentbefore constructing URLs (dataUrl,excelUrl, etc.). Likewise, any other user inputs (e.g.,selectedOrgUnit) should be similarly handled if there's even a theoretical way for user input to appear. - Make these changes at the point where the variables are used to assemble URLs (e.g., lines 30, 31, and 32) in
fetchPatientData, and when constructing the Excel link inrenderTable, if variables are re-used or new data is passed in.
Summary of steps:
- On lines constructing data URLs, encode all user-controlled values with
encodeURIComponent. - Ensure any values passed into
renderTableand used for hrefs are also appropriately encoded. - No additional dependencies are required for this fix.
Suggested changeset
1
plugins/active_list/static/patient_list_dynamic.js
| @@ -15,8 +15,8 @@ | ||
| let finalOrgUnitId = null | ||
|
|
||
| // Get other filter values | ||
| const selectedMonth = monthSelect.value | ||
| const selectedMode = modeSelect.value | ||
| const selectedMonth = encodeURIComponent(monthSelect.value) | ||
| const selectedMode = encodeURIComponent(modeSelect.value) | ||
|
|
||
| // Only fetch data if a month and at least one org unit level (or the intended level) is selected | ||
| if (!selectedMonth || !selectedOrgUnit) { | ||
| @@ -27,8 +27,8 @@ | ||
| return | ||
| } | ||
|
|
||
| const dataUrl = `/active_list/patient_list_api/${selectedOrgUnit}/${selectedMonth}/?mode=${selectedMode}` | ||
| const excelUrl = `/active_list/patient_list_upload_format/${selectedOrgUnit}/${selectedMonth}/?mode=${selectedMode}` + '&format=xls' // Assuming separate excel endpoint | ||
| const dataUrl = `/active_list/patient_list_api/${encodeURIComponent(selectedOrgUnit)}/${selectedMonth}/?mode=${selectedMode}` | ||
| const excelUrl = `/active_list/patient_list_upload_format/${encodeURIComponent(selectedOrgUnit)}/${selectedMonth}/?mode=${selectedMode}` + '&format=xls' // Assuming separate excel endpoint | ||
| const htmlUrl = dataUrl + '&format=html' | ||
| console.log(`fetching patient data from: ${dataUrl}`) | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
| <link rel="stylesheet" href="{% static 'theme.default.min.css' %}"> | ||
| <script type="text/javascript" src="{% static 'jquery.tablesorter.min.js' %}"></script> | ||
| <!-- Tablesorter widgets including sticky headers --> | ||
| <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.tablesorter/2.31.3/js/widgets/widget-stickyHeaders.min.js"></script> |
Check warning
Code scanning / CodeQL
Inclusion of functionality from an untrusted source Medium
madewulf
force-pushed
the
active_list_plugin
branch
from
e75a678 to
70e5726
Compare
madewulf
force-pushed
the
active_list_plugin
branch
from
70e5726 to
a1eb84e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What problem is this PR solving? Explain here in one sentence.
Related JIRA tickets : IA-XXX, WC2-XXX, POLIO-XXX
Self proofreading checklist
Doc
Tell us where the doc can be found (docs folder, wiki, in the code...).
Changes
Explain the changes that were made.
The idea is not to list exhaustively all the changes made (GitHub already provides a full diff), but to help the reviewers better understand:
How to test
Explain how to test your PR.
If a specific config is required explain it here: dataset, account, profile, etc.
Print screen / video
Upload here print screens or videos showing the changes.
Notes
Things that the reviewers should know:
Follow the Conventional Commits specification
The merge message of a pull request must follow the Conventional Commits specification.
This convention helps to automatically generate release notes.
Use lowercase for consistency.
Example:
Note that the Jira reference is preceded by a line break.
Both the line break and the Jira reference are entered in the Add an optional extended description… field.