From 3ae1b8c71625fb27d75bfd8e2ed66576f9412c3e Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Wed, 17 Jun 2026 11:33:45 -0600
Subject: [PATCH] Escape data values in Arrival and Birth clinical-history HTML

BirthDataSource and ArrivalDataSource concatenated a data-controlled column value (the gender lookup display value and the sourceFacility value, respectively) directly into the clinical-history HTML string without escaping. That string is serialized to the history row's html property and rendered unescaped in the EHR client, so a crafted value persisted and executed as stored XSS when a user viewed the animal's clinical history.

Both now route the value through the base class safeAppend helper, which HTML-escapes via PageFlowUtil.filter, matching every other nirc_ehr data source. The redundant manual hasColumn/null guards and the now-unused FieldKey import were dropped.
---
 .../org/labkey/nirc_ehr/history/ArrivalDataSource.java    | 4 +---
 .../src/org/labkey/nirc_ehr/history/BirthDataSource.java  | 8 +-------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/nirc_ehr/src/org/labkey/nirc_ehr/history/ArrivalDataSource.java b/nirc_ehr/src/org/labkey/nirc_ehr/history/ArrivalDataSource.java
index 933caf5c..4b4a8798 100644
--- a/nirc_ehr/src/org/labkey/nirc_ehr/history/ArrivalDataSource.java
+++ b/nirc_ehr/src/org/labkey/nirc_ehr/history/ArrivalDataSource.java
@@ -4,7 +4,6 @@
 import org.labkey.api.data.Results;
 import org.labkey.api.ehr.history.AbstractDataSource;
 import org.labkey.api.module.Module;
-import org.labkey.api.query.FieldKey;
 import org.labkey.api.util.PageFlowUtil;
 
 import java.sql.SQLException;
@@ -30,8 +29,7 @@ protected String getHtml(Container c, Results rs, boolean redacted) throws SQLEx
 
         sb.append(safeAppend(rs, "Arrival Type", "arrivalType"));
         sb.append(safeAppend(rs, "Acquisition Type", "acquisitionType"));
-        if (rs.hasColumn(FieldKey.fromString("sourceFacility")) && rs.getObject(FieldKey.fromString("sourceFacility")) != null)
-            sb.append("Lab Transfer From: " + rs.getString(FieldKey.fromString("sourceFacility")));
+        sb.append(safeAppend(rs, "Lab Transfer From", "sourceFacility"));
 
         return sb.toString();
     }
diff --git a/nirc_ehr/src/org/labkey/nirc_ehr/history/BirthDataSource.java b/nirc_ehr/src/org/labkey/nirc_ehr/history/BirthDataSource.java
index 6d07815e..055fc9a0 100644
--- a/nirc_ehr/src/org/labkey/nirc_ehr/history/BirthDataSource.java
+++ b/nirc_ehr/src/org/labkey/nirc_ehr/history/BirthDataSource.java
@@ -4,7 +4,6 @@
 import org.labkey.api.data.Results;
 import org.labkey.api.ehr.history.AbstractDataSource;
 import org.labkey.api.module.Module;
-import org.labkey.api.query.FieldKey;
 import org.labkey.api.util.PageFlowUtil;
 
 import java.sql.SQLException;
@@ -27,11 +26,6 @@ protected Set<String> getColumnNames()
     @Override
     protected String getHtml(Container c, Results rs, boolean redacted) throws SQLException
     {
-        StringBuilder sb = new StringBuilder();
-
-        if(rs.hasColumn(FieldKey.fromString("Id/Demographics/gender/meaning")) && rs.getObject(FieldKey.fromString("Id/Demographics/gender/meaning")) != null)
-            sb.append("Gender: " + rs.getString(FieldKey.fromString("Id/Demographics/gender/meaning")));
-
-        return sb.toString();
+        return safeAppend(rs, "Gender", "Id/Demographics/gender/meaning");
     }
 }