Fix for Implementing URL Redirect Validation and Warning Feature #7376
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request enhances the OpenEMR application to strengthen security measures related to URL redirects and forwards. The changes address the vulnerability identified in ASVS V5.1.5 regarding input validation and potential untrusted content.
Fix for: #7377
Description of what this pull request does:
This pull request improves the security of the OpenEMR application by adding a feature that checks if links users click on lead to trusted websites. If a link goes to an unknown or potentially risky site, users will see a warning message before being redirected. This helps prevent users from accidentally visiting harmful websites, making the application safer to use.
Changes Proposed in this Pull Request:
Added JavaScript code to validate redirect URLs against a whitelist of known and trusted domains.
Prevents redirects to URLs not present in the whitelist.
Displays a warning message to the user if attempting to redirect to an unknown domain, allowing them to make an informed decision.
Ensured proper sanitization and validation of user input used to construct redirect URLs.
Mitigates the risk of injection attacks and manipulation of redirect behavior by malicious users.