The reporter has re-tested against Meridian 2021.1.2 and is still able to get XSS payload to execute upon clicking, though no longer upon page rendering alone. I'm able to reproduce with Safari 14.1.2, but not with Firefox 90.0.

Assuming a category exists having a name consisting of the following payload:

')alert(document.cookie);//

Then, navigating to Admin -> Manage Surveillance Categories and clicking on the Delete icon next to the payload category results in a JS popup containing the user's cookies, leading to a 500 error page upon dismissal. On Firefox I don't get the JS popup, only the error page.

I was able to prevent the JS popup in Safari by using a JSTL c:set / fn:replace to remove all semicolons from category.name, store that safer value into a temporary variable, and use the temporary variable in place category.name inside the onclick property for the delete icon.

A more complete fix would also add input validation when creating a category.

I have a more detailed PDF from the reporter; I'm happy to share that in a less open channel since its content identifies the reporter's employer.

Merged.

Merged.

Please review:

• PR: https://github.com/OpenNMS/opennms/pull/3376

Please review:

• PR: https://github.com/OpenNMS/opennms/pull/3372