Security Vulnerabilities
April 6, 2014 1 Comment
A description of potential security vulnerabilities picked up by Josh Mandel when using XSLT to render data on screen, and the impact for FHIR.
Interestingly, a colleague of mine (Richard) has suggested the use of Markdown rather than HTML in FHIR Narrative for this very reason…
Very interesting, although I’m not quite sure that this warrants throwing the HTML baby out with the bathwater. Ultimately, it boils down to security policies and trust models. If any eHealth application is about to generate HTML from an untrusted source, best that it scans that markup text before it’s rendered. One would also hope that Healthcare Facilities have very tightly-configured browsers. As for passing session state in URLs – particularly if unencrypted – maybe not a great idea in general?