Thoughts and comments on the HL7 FHIR standard, from a FHIR Evangelist
April 6, 2014 1 Comment
A description of potential security vulnerabilities picked up by Josh Mandel when using XSLT to render data on screen, and the impact for FHIR.
Interestingly, a colleague of mine (Richard) has suggested the use of Markdown rather than HTML in FHIR Narrative for this very reason…
I'm an independent contractor working with a number of Organizations in the health IT space. I'm an HL7 Fellow, Chair Emeritus of HL7 New Zealand and a co-chair of the FHIR Management Group. I have a keen interest in health IT, especially health interoperability with HL7 and the FHIR standard. I'm the author of a FHIR training and design tool - clinFHIR - which is sponsored by InterSystems Ltd.
Very interesting, although I’m not quite sure that this warrants throwing the HTML baby out with the bathwater. Ultimately, it boils down to security policies and trust models. If any eHealth application is about to generate HTML from an untrusted source, best that it scans that markup text before it’s rendered. One would also hope that Healthcare Facilities have very tightly-configured browsers. As for passing session state in URLs – particularly if unencrypted – maybe not a great idea in general?