Security Vulnerabilities

Security Vulnerabilities

A description of potential security vulnerabilities picked up by Josh Mandel when using XSLT to render data on screen, and the impact for FHIR.

Interestingly, a colleague of mine (Richard) has suggested the use of Markdown rather than HTML in FHIR Narrative for this very reason…

About David Hay
I'm an independent contractor working with organizations like Rhapsody, Corepoint, CSIRO in Australia and the New Zealand Ministry Of Health. I'm an HL7 Fellow, Chair Emeritus of HL7 New Zealand and a co-chair of the FHIR Management Group. I have a keen interest in health IT, especially health interoperability with HL7 and the new FHIR standard.

One Response to Security Vulnerabilities

  1. Peter Jordan says:

    Very interesting, although I’m not quite sure that this warrants throwing the HTML baby out with the bathwater. Ultimately, it boils down to security policies and trust models. If any eHealth application is about to generate HTML from an untrusted source, best that it scans that markup text before it’s rendered. One would also hope that Healthcare Facilities have very tightly-configured browsers. As for passing session state in URLs – particularly if unencrypted – maybe not a great idea in general?

Leave a Reply

%d bloggers like this: