From 7662c7200fb83e475af3506a9b583b2fd2d6b270 Mon Sep 17 00:00:00 2001
From: dkayiwa <dkayiwa@openmrs.org>
Date: Thu, 14 Nov 2024 02:38:08 +0300
Subject: [PATCH 1/6] Filtering at the backend

---
 .../java/org/openmrs/web/xss/XSSFilter.java   | 51 +++++++++++++
 .../web/xss/XSSMultipartRequestWrapper.java   | 72 ++++++++++++++++++
 .../openmrs/web/xss/XSSRequestWrapper.java    | 73 +++++++++++++++++++
 omod/src/main/resources/config.xml            |  9 +++
 4 files changed, 205 insertions(+)
 create mode 100644 omod/src/main/java/org/openmrs/web/xss/XSSFilter.java
 create mode 100644 omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java
 create mode 100644 omod/src/main/java/org/openmrs/web/xss/XSSRequestWrapper.java

diff --git a/omod/src/main/java/org/openmrs/web/xss/XSSFilter.java b/omod/src/main/java/org/openmrs/web/xss/XSSFilter.java
new file mode 100644
index 00000000..c3857ffa
--- /dev/null
+++ b/omod/src/main/java/org/openmrs/web/xss/XSSFilter.java
@@ -0,0 +1,51 @@
+/**
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.web.xss;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.fileupload.servlet.ServletFileUpload;
+import org.springframework.web.multipart.support.DefaultMultipartHttpServletRequest;
+
+public class XSSFilter implements Filter {
+	
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+	        ServletException {
+		
+		if (!"GET".equalsIgnoreCase(((HttpServletRequest) request).getMethod())) {
+			if (ServletFileUpload.isMultipartContent((HttpServletRequest) request)) {
+				request = new XSSMultipartRequestWrapper((DefaultMultipartHttpServletRequest) request);
+			} else {
+				request = new XSSRequestWrapper((HttpServletRequest) request);
+			}
+		}
+		
+		chain.doFilter(request, response);
+	}
+	
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+		
+	}
+	
+	@Override
+	public void destroy() {
+		
+	}
+}
diff --git a/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java b/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java
new file mode 100644
index 00000000..db0b9752
--- /dev/null
+++ b/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java
@@ -0,0 +1,72 @@
+/**
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.web.xss;
+
+import java.util.Enumeration;
+
+import org.owasp.encoder.Encode;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.support.DefaultMultipartHttpServletRequest;
+
+public class XSSMultipartRequestWrapper extends DefaultMultipartHttpServletRequest {
+	
+	public XSSMultipartRequestWrapper(DefaultMultipartHttpServletRequest request) {
+		super(request);
+	}
+	
+	@Override
+	public String getParameter(String name) {
+		
+		String value = getRequest().getParameter(name);
+		if (value == null) {
+			return null;
+		}
+		
+		return Encode.forHtml(value);
+	}
+	
+	@Override
+	public String[] getParameterValues(String name) {
+		
+		String[] values = getRequest().getParameterValues(name);
+		if (values == null) {
+			return null;
+		}
+		
+		int count = values.length;
+		String[] encodedValues = new String[count];
+		for (int i = 0; i < count; i++) {
+			encodedValues[i] = Encode.forHtml(values[i]);
+		}
+		
+		return encodedValues;
+	}
+	
+	@Override
+	public DefaultMultipartHttpServletRequest getRequest() {
+		return (DefaultMultipartHttpServletRequest) super.getRequest();
+	}
+	
+	@Override
+	public MultipartFile getFile(String name) {
+		return getRequest().getFile(name);
+	}
+	
+	@Override
+	public MultiValueMap<String, MultipartFile> getMultiFileMap() {
+		return getRequest().getMultiFileMap();
+	}
+	
+	@Override
+	public Enumeration<String> getParameterNames() {
+		return getRequest().getParameterNames();
+	}
+}
diff --git a/omod/src/main/java/org/openmrs/web/xss/XSSRequestWrapper.java b/omod/src/main/java/org/openmrs/web/xss/XSSRequestWrapper.java
new file mode 100644
index 00000000..844bd55c
--- /dev/null
+++ b/omod/src/main/java/org/openmrs/web/xss/XSSRequestWrapper.java
@@ -0,0 +1,73 @@
+/**
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at http://mozilla.org/MPL/2.0/. OpenMRS is also distributed under
+ * the terms of the Healthcare Disclaimer located at http://openmrs.org/license.
+ *
+ * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
+ * graphic logo is a trademark of OpenMRS Inc.
+ */
+package org.openmrs.web.xss;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.apache.commons.io.IOUtils;
+import org.owasp.encoder.Encode;
+
+public class XSSRequestWrapper extends HttpServletRequestWrapper {
+	
+	public XSSRequestWrapper(HttpServletRequest request) {
+		super(request);
+	}
+	
+	@Override
+	public String[] getParameterValues(String parameter) {
+		
+		String[] values = super.getParameterValues(parameter);
+		if (values == null) {
+			return null;
+		}
+		
+		int count = values.length;
+		String[] encodedValues = new String[count];
+		for (int i = 0; i < count; i++) {
+			encodedValues[i] = Encode.forHtml(values[i]);
+		}
+		
+		return encodedValues;
+	}
+	
+	@Override
+	public String getParameter(String name) {
+		
+		String value = super.getParameter(name);
+		if (value == null) {
+			return null;
+		}
+		
+		return Encode.forHtml(value);
+	}
+	
+	@Override
+	public ServletInputStream getInputStream() throws IOException {
+		
+		String requestBody = IOUtils.toString(super.getInputStream(), StandardCharsets.UTF_8.name());
+		String sanitizedBody = Encode.forHtmlContent(requestBody);
+		
+		return new ServletInputStream() {
+			
+			private final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(sanitizedBody.getBytes());
+			
+			@Override
+			public int read() throws IOException {
+				return byteArrayInputStream.read();
+			}
+		};
+	}
+}
diff --git a/omod/src/main/resources/config.xml b/omod/src/main/resources/config.xml
index 4e78b785..b4009f68 100644
--- a/omod/src/main/resources/config.xml
+++ b/omod/src/main/resources/config.xml
@@ -351,6 +351,15 @@
 		<filter-name>dwrFilter</filter-name> 
 		<url-pattern>/ms/call/plaincall/*</url-pattern> 
 	</filter-mapping>
+	
+	<filter>
+        <filter-name>XSSFilter</filter-name>
+        <filter-class>org.openmrs.web.xss.XSSFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>XSSFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
 
 	<!-- Internationalization -->
 	<!-- All message codes should start with ${project.parent.artifactId}. -->

From 273ae2016efe8b8c98bd5b3f90f917fee895ab06 Mon Sep 17 00:00:00 2001
From: openmrs-bot <infrastructure@openmrs.org>
Date: Thu, 14 Nov 2024 09:05:19 +0000
Subject: [PATCH 2/6] [maven-release-plugin] prepare release 1.19.0

---
 api/pom.xml  | 2 +-
 omod/pom.xml | 2 +-
 pom.xml      | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/pom.xml b/api/pom.xml
index a43cd43e..0259b6a6 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.19.0-SNAPSHOT</version>
+		<version>1.19.0</version>
 	</parent>
 
 	<artifactId>legacyui-api</artifactId>
diff --git a/omod/pom.xml b/omod/pom.xml
index cdcc11b3..9290bcf2 100644
--- a/omod/pom.xml
+++ b/omod/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.19.0-SNAPSHOT</version>
+		<version>1.19.0</version>
 	</parent>
 
 	<artifactId>legacyui-omod</artifactId>
diff --git a/pom.xml b/pom.xml
index a77d86b7..1842176c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,7 +21,7 @@
 
 	<groupId>org.openmrs.module</groupId>
 	<artifactId>legacyui</artifactId>
-	<version>1.19.0-SNAPSHOT</version>
+	<version>1.19.0</version>
 	<packaging>pom</packaging>
 	<name>Legacy UI Module</name>
 	<description>Provides the legacy UI which was removed from the platform since version 2.0</description>
@@ -42,7 +42,7 @@
         <connection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</connection>
         <developerConnection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</developerConnection>
         <url>https://github.com/openmrs/openmrs-module-legacyui.git</url>
-      <tag>HEAD</tag>
+      <tag>1.19.0</tag>
   </scm>
 
 	<modules>

From e857645cb0c3c4ea79edb71e55ceb4738d0086dd Mon Sep 17 00:00:00 2001
From: openmrs-bot <infrastructure@openmrs.org>
Date: Thu, 14 Nov 2024 09:05:20 +0000
Subject: [PATCH 3/6] [maven-release-plugin] prepare for next development
 iteration

---
 api/pom.xml  | 2 +-
 omod/pom.xml | 2 +-
 pom.xml      | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/pom.xml b/api/pom.xml
index 0259b6a6..79df1a3f 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.19.0</version>
+		<version>1.20.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>legacyui-api</artifactId>
diff --git a/omod/pom.xml b/omod/pom.xml
index 9290bcf2..dc05ff75 100644
--- a/omod/pom.xml
+++ b/omod/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.19.0</version>
+		<version>1.20.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>legacyui-omod</artifactId>
diff --git a/pom.xml b/pom.xml
index 1842176c..e62b12f0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,7 +21,7 @@
 
 	<groupId>org.openmrs.module</groupId>
 	<artifactId>legacyui</artifactId>
-	<version>1.19.0</version>
+	<version>1.20.0-SNAPSHOT</version>
 	<packaging>pom</packaging>
 	<name>Legacy UI Module</name>
 	<description>Provides the legacy UI which was removed from the platform since version 2.0</description>
@@ -42,7 +42,7 @@
         <connection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</connection>
         <developerConnection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</developerConnection>
         <url>https://github.com/openmrs/openmrs-module-legacyui.git</url>
-      <tag>1.19.0</tag>
+      <tag>HEAD</tag>
   </scm>
 
 	<modules>

From a6c6c0aa6999e79ff48c4e2b8d6c14e8a87c5e61 Mon Sep 17 00:00:00 2001
From: dkayiwa <dkayiwa@openmrs.org>
Date: Thu, 14 Nov 2024 22:09:14 +0300
Subject: [PATCH 4/6] Do not mess up json in multipart uploads

---
 .../java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java b/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java
index db0b9752..e6df7bb2 100644
--- a/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java
+++ b/omod/src/main/java/org/openmrs/web/xss/XSSMultipartRequestWrapper.java
@@ -30,7 +30,7 @@ public String getParameter(String name) {
 			return null;
 		}
 		
-		return Encode.forHtml(value);
+		return Encode.forHtmlContent(value);
 	}
 	
 	@Override
@@ -44,7 +44,7 @@ public String[] getParameterValues(String name) {
 		int count = values.length;
 		String[] encodedValues = new String[count];
 		for (int i = 0; i < count; i++) {
-			encodedValues[i] = Encode.forHtml(values[i]);
+			encodedValues[i] = Encode.forHtmlContent(values[i]);
 		}
 		
 		return encodedValues;

From dff2ba7132e5979e12c1dca4f269deaf2f91420d Mon Sep 17 00:00:00 2001
From: openmrs-bot <infrastructure@openmrs.org>
Date: Thu, 14 Nov 2024 19:16:48 +0000
Subject: [PATCH 5/6] [maven-release-plugin] prepare release 1.20.0

---
 api/pom.xml  | 2 +-
 omod/pom.xml | 2 +-
 pom.xml      | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/pom.xml b/api/pom.xml
index 79df1a3f..09704bbb 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.20.0-SNAPSHOT</version>
+		<version>1.20.0</version>
 	</parent>
 
 	<artifactId>legacyui-api</artifactId>
diff --git a/omod/pom.xml b/omod/pom.xml
index dc05ff75..a36687e7 100644
--- a/omod/pom.xml
+++ b/omod/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.20.0-SNAPSHOT</version>
+		<version>1.20.0</version>
 	</parent>
 
 	<artifactId>legacyui-omod</artifactId>
diff --git a/pom.xml b/pom.xml
index e62b12f0..e1fa9835 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,7 +21,7 @@
 
 	<groupId>org.openmrs.module</groupId>
 	<artifactId>legacyui</artifactId>
-	<version>1.20.0-SNAPSHOT</version>
+	<version>1.20.0</version>
 	<packaging>pom</packaging>
 	<name>Legacy UI Module</name>
 	<description>Provides the legacy UI which was removed from the platform since version 2.0</description>
@@ -42,7 +42,7 @@
         <connection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</connection>
         <developerConnection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</developerConnection>
         <url>https://github.com/openmrs/openmrs-module-legacyui.git</url>
-      <tag>HEAD</tag>
+      <tag>1.20.0</tag>
   </scm>
 
 	<modules>

From 24496831971df398722d1a7047c3b3f8b64a7980 Mon Sep 17 00:00:00 2001
From: openmrs-bot <infrastructure@openmrs.org>
Date: Thu, 14 Nov 2024 19:16:49 +0000
Subject: [PATCH 6/6] [maven-release-plugin] prepare for next development
 iteration

---
 api/pom.xml  | 2 +-
 omod/pom.xml | 2 +-
 pom.xml      | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/pom.xml b/api/pom.xml
index 09704bbb..a4eae2ae 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.20.0</version>
+		<version>1.21.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>legacyui-api</artifactId>
diff --git a/omod/pom.xml b/omod/pom.xml
index a36687e7..c5133716 100644
--- a/omod/pom.xml
+++ b/omod/pom.xml
@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.openmrs.module</groupId>
 		<artifactId>legacyui</artifactId>
-		<version>1.20.0</version>
+		<version>1.21.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>legacyui-omod</artifactId>
diff --git a/pom.xml b/pom.xml
index e1fa9835..21be5424 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,7 +21,7 @@
 
 	<groupId>org.openmrs.module</groupId>
 	<artifactId>legacyui</artifactId>
-	<version>1.20.0</version>
+	<version>1.21.0-SNAPSHOT</version>
 	<packaging>pom</packaging>
 	<name>Legacy UI Module</name>
 	<description>Provides the legacy UI which was removed from the platform since version 2.0</description>
@@ -42,7 +42,7 @@
         <connection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</connection>
         <developerConnection>scm:git:git@github.com:openmrs/openmrs-module-legacyui.git</developerConnection>
         <url>https://github.com/openmrs/openmrs-module-legacyui.git</url>
-      <tag>1.20.0</tag>
+      <tag>HEAD</tag>
   </scm>
 
 	<modules>