Fixed the vulnerability issue

KarnaiahPesula · KarnaiahPesula · commit 088860fa6abb · 2026-05-20T10:29:28.000+02:00
diff --git a/sormas-ui/src/main/java/de/symeda/sormas/ui/caze/CaseDataForm.java b/sormas-ui/src/main/java/de/symeda/sormas/ui/caze/CaseDataForm.java
@@ -40,6 +40,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -1656,15 +1657,32 @@ private String sanitizeAndLinkify(String text) {
 		StringBuilder result = new StringBuilder();
 		int last = 0;
 
+		// Expanded the allowed tags to include standard rich text formatting options
+		Set<String> allowedTags = Set
+			.of("div", "span", "p", "br", "b", "i", "u", "strong", "em", "ul", "ol", "li", "table", "tr", "td", "th", "thead", "tbody", "font", "a");
+
 		while (matcher.find()) {
 			String plainTextSegment = htmlText.substring(last, matcher.start());
 			result.append(escapeHtml(plainTextSegment).replace("&amp;nbsp;", "&nbsp;"));
 
 			String htmlTag = matcher.group(1);
 			String url = matcher.group(2);
 			if (htmlTag != null) {
-				// It's a rich text tag (like <div> or <br>). Pass it through safely.
-				result.append(htmlTag);
+				// Only allow safe formatting tags
+				String cleanTagName = htmlTag.replaceAll("[<>/]", "").trim().split("\\s+")[0].toLowerCase();
+				if (allowedTags.contains(cleanTagName)) {
+					String lowerTag = htmlTag.toLowerCase();
+					if (lowerTag.contains("javascript:")
+						|| lowerTag.contains("onclick")
+						|| lowerTag.contains("onerror")
+						|| lowerTag.contains("onload")) {
+						// Attack vector found! Escape it safely into text instead of executing it
+						result.append(escapeHtml(htmlTag));
+					} else {
+						// It's a completely safe rich text element. Pass it through so styles render perfectly.
+						result.append(htmlTag);
+					}
+				}
 			} else if (url != null) {
 				// It's a plain-text URL. Wrap it in your custom blue link styling.
 				String escapedUrl = escapeHtml(url);
