johan
/
inou
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TASK-019: Fix XSS vulnerability in DICOM series display 

- Add html.EscapeString() to series_desc when building Series struct
- Prevents JavaScript injection via malicious DICOM metadata

Security impact: XSS payloads in series descriptions now render as harmless text.
This commit is contained in:
James 2026-03-23 00:36:06 -04:00
parent 5ebf9925ed
commit 989969375d
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
portal/api_client.go
View File

@ -4,6 +4,7 @@ import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"fmt" "fmt"
"html"
"io" "io"
"net/http" "net/http"
"sort" "sort"
@ -189,7 +190,7 @@ func fetchStudiesWithSeries(dossierHex string) ([]Study, error) {
for _, ser := range apiSeries { for _, ser := range apiSeries {
s.Series = append(s.Series, Series{ s.Series = append(s.Series, Series{
ID: ser.ID, ID: ser.ID,
Description: ser.SeriesDesc, Description: html.EscapeString(ser.SeriesDesc), // FIX TASK-019: XSS prevention
Modality: ser.Modality, Modality: ser.Modality,
SliceCount: ser.SliceCount, SliceCount: ser.SliceCount,
}) })