From 4218d6ddc0445a705e8d2be3164bbc79392f6d02 Mon Sep 17 00:00:00 2001
From: Isaac Sears <isaac.j.sears@gmail.com>
Date: Sat, 25 Feb 2017 17:54:20 -0500
Subject: [PATCH] Patch various xss

---
 omod/src/main/java/org/openmrs/web/dwr/DWRProviderService.java | 3 ++-
 .../webapp/admin/patients/include/editPatientIdentifier.jsp    | 2 +-
 omod/src/main/webapp/admin/patients/patientForm.jsp            | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/omod/src/main/java/org/openmrs/web/dwr/DWRProviderService.java b/omod/src/main/java/org/openmrs/web/dwr/DWRProviderService.java
index 1bba6a3f..73c8afd1 100644
--- a/omod/src/main/java/org/openmrs/web/dwr/DWRProviderService.java
+++ b/omod/src/main/java/org/openmrs/web/dwr/DWRProviderService.java
@@ -21,6 +21,7 @@
 import org.openmrs.api.PatientService;
 import org.openmrs.api.context.Context;
 import org.openmrs.messagesource.MessageSourceService;
+import org.openmrs.web.WebUtil;
 
 /**
  * DWR Provider methods. The methods in here are used in the webapp to get data from the database
@@ -51,7 +52,7 @@ public Vector<Object> findProvider(String name, boolean includeRetired, Integer
 		
 		if (providerList.size() == 0) {
 			MessageSourceService mss = Context.getMessageSourceService();
-			providerListItem.add(mss.getMessage("Provider.noMatchesFound", new Object[] { name }, Context.getLocale()));
+			providerListItem.add(mss.getMessage("Provider.noMatchesFound", new Object[] { WebUtil.escapeHTML(name) }, Context.getLocale()));
 		} else {
 			for (Provider p : providerList) {
 				providerListItem.add(new ProviderListItem(p));
diff --git a/omod/src/main/webapp/admin/patients/include/editPatientIdentifier.jsp b/omod/src/main/webapp/admin/patients/include/editPatientIdentifier.jsp
index a985721b..031d4f7d 100644
--- a/omod/src/main/webapp/admin/patients/include/editPatientIdentifier.jsp
+++ b/omod/src/main/webapp/admin/patients/include/editPatientIdentifier.jsp
@@ -101,7 +101,7 @@
 					<input type="hidden" name="_${status.expression}"/>
 					<input type="checkbox" name="${status.expression}"
 						   <c:if test="${status.value == true}">checked="checked"</c:if> 
-						   onClick="toggleLayer('voidReasonIdentifierRow-${identifier}'); if (voidedBoxClicked) voidedBoxClicked(this); "
+						   onClick="toggleLayer('voidReasonIdentifierRow-<c:out value="${identifier}" />'); if (voidedBoxClicked) voidedBoxClicked(this); "
 					/>
 				</spring:bind>
 			</td>
diff --git a/omod/src/main/webapp/admin/patients/patientForm.jsp b/omod/src/main/webapp/admin/patients/patientForm.jsp
index 8103778f..defccf15 100644
--- a/omod/src/main/webapp/admin/patients/patientForm.jsp
+++ b/omod/src/main/webapp/admin/patients/patientForm.jsp
@@ -418,7 +418,7 @@
 		<div id="pAddresses">
 			<div class="tabBar" id="pAddressesTabBar">
 				<c:forEach var="address" items="${patient.addresses}" varStatus="varStatus">
-					<a href="javascript:return false;" onClick="return selectTab(this, 'address');" id="address${varStatus.index}" <c:if test="${address.voided}">class='voided'</c:if>><span>${address.cityVillage}</span>&nbsp;</a>
+					<a href="javascript:return false;" onClick="return selectTab(this, 'address');" id="address${varStatus.index}" <c:if test="${address.voided}">class='voided'</c:if>><span><c:out value="${address.cityVillage}" /></span>&nbsp;</a>
 				</c:forEach>
 				<a href="javascript:return false;" onClick="return selectTab(this, 'address');" id="addressTab" style="display: none"><span></span>&nbsp;</a>
 				<input type="button" onClick="return addNew('address');" class="addNew" id="address" value='<openmrs:message code="Patient.addNewAddress"/>'/>