LUI-196 Escape Html for autocomplete and datatable

openmrs · Jul 23, 2024 · fd7227c · fd7227c
1 parent b6855fd
commit fd7227c
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 19 deletions.
diff --git a/omod/src/main/webapp/dictionary/index.jsp b/omod/src/main/webapp/dictionary/index.jsp
@@ -42,7 +42,7 @@
 	//custom render, appends an arrow and preferredName it exists
 	function nameColumnRenderer(oObj){
 		if(oObj.aData[1] && $j.trim(oObj.aData[1]) != '')
-			return "<span>"+oObj.aData[0]+"</span><span class='otherHit'> &rArr; "+$j("<div>").text(oObj.aData[1]).html()+"</span>";
+			return "<span>"+oObj.aData[0]+"</span><span class='otherHit'> &rArr; "+oObj.aData[1]+"</span>";
 		
 		return "<span>"+oObj.aData[0]+"</span>";
 	}

diff --git a/omod/src/main/webapp/portlets/patientVisits.jsp b/omod/src/main/webapp/portlets/patientVisits.jsp
@@ -65,6 +65,10 @@ tr.bottom-encounter-in-visit td:last-child {
 	$j(document)
 			.ready(
 					function() {
+						function renderData(data) {
+							// Escape html for each cell
+							return $j('<div/>').text(data['aData'][data['iDataColumn']]).html();
+						}
 						$j('#patientVisitsTable')
 								.dataTable(
 										{
@@ -76,23 +80,46 @@ tr.bottom-encounter-in-visit td:last-child {
 												"sInfo": ""//hack to hide the text but keep the element to maintain the UI
 											},
 											"aoColumns" : [ {
-												"bVisible" : false
+												"bVisible" : false,
+												"fnRender": renderData
 											}, {
-												"bVisible" : false
-											}, null, {
-												"bVisible" : false
+												"bVisible" : false,
+												"fnRender": renderData
 											}, {
-												"bVisible" : false
+												"fnRender": renderData
 											}, {
-												"bVisible" : false
+												"bVisible" : false,
+												"fnRender": renderData
 											}, {
-												"bVisible" : false
+												"bVisible" : false,
+												"fnRender": renderData
 											}, {
-												"bVisible" : false
+												"bVisible" : false,
+												"fnRender": renderData
 											}, {
-												"bVisible" : false
-											}, null, null, null, null, null, null, {
-												"bVisible" : false
+												"bVisible" : false,
+												"fnRender": renderData
+											}, {
+												"bVisible" : false,
+												"fnRender": renderData
+											}, {
+												"bVisible" : false,
+												"fnRender": renderData
+											}, {
+												"fnRender": renderData
+											}, {
+												"fnRender": renderData
+											}, {
+												"fnRender": renderData
+											}, {
+												"fnRender": renderData
+											}, {
+												"fnRender": renderData
+											}, {
+												"fnRender": renderData
+											}, {
+												"bVisible" : false,
+												"fnRender": renderData
 											} ],
 											"fnRowCallback" : function(nRow,
 													aData, iDisplayIndex) {

diff --git a/omod/src/main/webapp/resources/scripts/jquery-ui/js/openmrsSearch.js b/omod/src/main/webapp/resources/scripts/jquery-ui/js/openmrsSearch.js
@@ -841,7 +841,8 @@ function OpenmrsSearch(div, showIncludeVoided, searchHandler, selectionHandler,
                 var data = rowData[c.fieldName];
                 if(data == null)
                     data = " ";
-
+                //Escape html
+                data = $j('<div/>').text(data).html();
                 return data;
             });
 
@@ -851,7 +852,8 @@ function OpenmrsSearch(div, showIncludeVoided, searchHandler, selectionHandler,
                     attributeValue = rowData.attributes[a.name];
                     if(attributeValue == null)
                         attributeValue = '';
-
+                    //Escape html
+                    attributeValue = $j('<div/>').text(attributeValue).html();
                     rRowData.push(attributeValue);
                 });
             }

diff --git a/omod/src/main/webapp/resources/scripts/jquery/autocomplete/OpenmrsAutoComplete.js b/omod/src/main/webapp/resources/scripts/jquery/autocomplete/OpenmrsAutoComplete.js
@@ -232,24 +232,25 @@ function CreateCallback(options) {
 		var textShown = " ";
 
 		if (person.identifier)
-			textShown += $j('<div/>').text(person.identifier).html();
+			textShown += person.identifier;
 
 		textShown += " ";
 
-		textShown += $j('<div/>').text(person.personName).html();
+		textShown += person.personName;
 
 		// highlight each search term in the results
 		textShown = highlightWords(textShown, origQuery);
 
 		var ageText = "";
 		if (person.age) {
 			ageText = " (" + person.age + " " + omsgs.yearsOld + ")";
-			ageText = $j('<div/>').text(ageText).html();
 		}
 
 		// append the gender image and age AFTER word highlighting so regex doesn't match it
 
 		textShown = imageText + textShown + ageText; // space was inserted into beginning of 'textShown' var
+
+		textShown = $j('<div/>').text(textShown).html()
 
 		// wrap each result in a span tag (needed?)
 		textShown = "<span class='autocompleteresult'>" + textShown + "</span>";
@@ -274,6 +275,8 @@ function CreateCallback(options) {
 			textShown += provider.identifier + " ";
 
 		textShown += provider.displayName;
+
+		textShown = $j('<div/>').text(textShown).html()
 
 		// wrap each result in a span tag (needed?)
 		textShown = "<span class='autocompleteresult'>" + textShown + "</span>";
@@ -291,13 +294,15 @@ function CreateCallback(options) {
 		// item is a ConceptListItem or LocationListItem object
 		// add a space so the term highlighter below thinks the first word is a word
 		var textShown = " " + item.name;
+
+		textShown = $j('<div/>').text(textShown).html()
 
 		// highlight each search term in the results
 		textShown = highlightWords(textShown, origQuery);
 
 		var value = item.name;
 		if (item.preferredName) {
-			textShown += "<span class='preferredname'> &rArr; " + item.preferredName + "</span>";
+			textShown += "<span class='preferredname'> &rArr; " + $j('<div/>').text(item.preferredName).html() + "</span>";
 			//value = item.preferredName;
 		}
 
@@ -315,6 +320,8 @@ function CreateCallback(options) {
 
 		// add a space so the term highlighter below thinks the first word is a word
 		var textShown = " " + item.fullName;
+
+		textShown = $j('<div/>').text(textShown).html()
 
 		// highlight each search term in the results
 		textShown = highlightWords(textShown, origQuery);
@@ -342,6 +349,8 @@ function CreateCallback(options) {
 		if (enc.location) {
 			textShown += " - " + enc.location;
 		}
+
+		textShown = $j('<div/>').text(textShown).html()
 
 		// highlight each search term in the results
 		textShown = highlightWords(textShown, origQuery);
@@ -384,7 +393,9 @@ function CreateCallback(options) {
 			return { label: item, value: "" };
 
 		var textShown = " " + item.code+((item.name != null && $j.trim(item.name) != '') ? " - "+item.name : "")+" ["+item.conceptSourceName+"]";
-
+
+		textShown = $j('<div/>').text(textShown).html()
+
 		// highlight each search term in the results
 		textShown = highlightWords(textShown, origQuery);