0

We use the FHIR DSTU2 Java reference implementation(me.fhir:fhir-dstu2:1.0.1.7108) and encountered a problem with XhtmlParser.

The parseHtmlNode method, with the element and attribute white list, is very good and we typically want to use this both for json as well as xml data.

  1. Currently this is only used for xml parsing and there is another parse method, used for json parsing, which doesn't enforce the white list and allows malicious inline scripts. Is there any reason as to why this white list is not enforced for json parsing?

  2. The XhtmlParser's security policy(Accept/Drop/Reject) is not exposed to the user as a configurable parameter. Currently we had to override parseXhtml method in a derived class of JsonParser/XmlParser and initialize the XhtmlParser with the desired security policy.

  3. With the security policy set to Drop, the parseHtmlNode method goes into a infinite loop due to a missing xpp.next() call after ignoring an element.

I would appreciate if the FHIR developers can respond to these issues and if they could be fixed in a minor update to the Java reference implementation. Please let me know if I had grossly misunderstood something.

Thanks, Anand Mohan

1 Answers1

0

One response to all 3: whoops. I'll fix and release an update

Grahame Grieve
  • 3,538
  • 3
  • 15
  • 17
  • I am assuming that this update will be as a new version of me.fhir:fhir-dstu2 ? Is that right and if so, what are the timelines for releasing this? Thanks in advance, Anand Mohan –  Mar 24 '16 at 22:35