Skip to content

Fix: Using double quotes " breaks prescriptions#2483

Open
LiamStanziani wants to merge 1 commit into
developfrom
bug/using-double-quotes-breaks-prescriptions
Open

Fix: Using double quotes " breaks prescriptions#2483
LiamStanziani wants to merge 1 commit into
developfrom
bug/using-double-quotes-breaks-prescriptions

Conversation

@LiamStanziani

@LiamStanziani LiamStanziani commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Summary

A double quote (") in a drug name, instructions, or special instructions silently
truncated the faxed/printed prescription and the "Add to encounter note" text from the
first " onward. The Rx body was interpolated raw into two double-quoted HTML hidden-input
attributes, so the " closed the attribute early and everything after it was lost. The fix
applies context-appropriate OWASP encoding at those two output points. This is the same class
of bug — and the same fix pattern — as #2451 / PR #2459, which handled the pharmacy name; this
change covers the prescription text itself.

Files changed:

  • src/main/webapp/oscarRx/printRx/PreviewContent.jsp

Fixes #2482

Problem

When a drug name or its (special) instructions contained a ", e.g. Tylenol "extra":

  • The faxed Rx PDF was cut off at the first ".
  • The encounter/chart note created by "Print & Add to encounter note" (and the fax + paste
    button) was cut off at the first ".

The on-screen preview looked correct, which masked the problem.

Root cause: in PreviewContent.jsp, the prescription text was rendered raw into two
double-quoted HTML hidden inputs:

<input type="hidden" name="rx"             value="${requestScope.strRx}"/>
<input type="hidden" name="rx_no_newlines" id="rx_no_newlines" value="${requestScope.strRxNoNewLines}"/>

Both values come from RxPrescriptionData.getFullOutLine() (drug name + instructions + special
instructions, concatenated). A " in that text closed the value="..." attribute early, so:

  • name="rx" — submitted via preview2Form to FrmCustomedPDFServlet
    (/form/createcustomedpdf) for the print/fax PDF. The form posted a truncated value, so
    the PDF was cut off. (The servlet splits the text on newlines/<br>, never on ", so the
    truncation is purely the browser closing the attribute at submit time.)
  • name="rx_no_newlines" — read in JS by printPaste2Parent() as
    document.getElementById("rx_no_newlines").value. The DOM only contained text up to the first
    ", so the encounter note was truncated.

The on-screen preview was unaffected because it renders the Rx in an HTML body context
(<td>${fullOutLine}</td>), where a literal " is harmless — the bug only manifests in the
attribute context of the hidden inputs.

This also explains the reporter's observation that the fax issue was recent while the
encounter note issue was long-standing: the fax-via-PDF-servlet path and the
rx_no_newlines input were introduced in the recent Rx print-preview refactor, whereas the
encounter-note paste has emitted Rx text into an unescaped attribute/JS context for far longer.
In the current code both symptoms share the one root cause above, so a single change resolves
both.

Solution

Encode the two hidden inputs at the output point, per context, instead of leaving them raw —
matching the already-correct sibling inputs in this same file (pharmaName, pharmaFax,
pharmacyInfo) that were fixed in PR #2459:

<input type="hidden" name="rx"
       value="<%= Encode.forHtmlAttribute(request.getAttribute("strRx") != null ? request.getAttribute("strRx").toString() : "") %>"/>
<input type="hidden" name="rx_no_newlines" id="rx_no_newlines"
       value="<%= Encode.forHtmlAttribute(request.getAttribute("strRxNoNewLines") != null ? request.getAttribute("strRxNoNewLines").toString() : "") %>"/>

Encode.forHtmlAttribute turns " into &#34;, so it can no longer break out of the
value="..." attribute. The encoding is transparent to both consumers — the browser decodes
it back to a literal ":

  • On form submit, FrmCustomedPDFServlet.getParameter("rx") receives the real value, so the
    printed/faxed PDF shows the full line.
  • On DOM read, getElementById("rx_no_newlines").value returns the real value, so the
    encounter note contains the full line.
image image image

Summary by Sourcery

Escape prescription text when rendering into hidden HTML inputs to prevent truncation when it contains double quotes.

Bug Fixes:

  • Ensure faxed/printed prescriptions are no longer cut off when drug names or instructions contain double quotes.
  • Ensure encounter notes created from prescriptions include the full text even when it contains double quotes.

Summary by CodeRabbit

  • Refactor
    • Improved internal data handling for prescription preview rendering with enhanced security measures.

@LiamStanziani LiamStanziani self-assigned this Jun 23, 2026
@LiamStanziani LiamStanziani linked an issue Jun 23, 2026 that may be closed by this pull request
2 tasks
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA dc97842.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

@sourcery-ai

sourcery-ai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Escapes prescription text values when rendering them into hidden HTML input attributes so that embedded double quotes no longer truncate faxed/printed prescriptions or encounter-note text.

Sequence diagram for fax/print prescription flow with encoded hidden input

sequenceDiagram
    participant PreviewContent_jsp as PreviewContent_jsp
    participant Browser as Browser
    participant FrmCustomedPDFServlet as FrmCustomedPDFServlet

    PreviewContent_jsp->PreviewContent_jsp: Encode.forHtmlAttribute(strRx)
    PreviewContent_jsp->Browser: render rx hidden input with encoded value
    Browser->FrmCustomedPDFServlet: submit preview2Form with parameter rx
    FrmCustomedPDFServlet->FrmCustomedPDFServlet: getParameter(rx)
    FrmCustomedPDFServlet->FrmCustomedPDFServlet: generate PDF with full prescription text
Loading

Sequence diagram for encounter note creation using encoded rx_no_newlines

sequenceDiagram
    participant PreviewContent_jsp as PreviewContent_jsp
    participant Browser as Browser
    participant EncounterNote as EncounterNote

    PreviewContent_jsp->PreviewContent_jsp: Encode.forHtmlAttribute(strRxNoNewLines)
    PreviewContent_jsp->Browser: render rx_no_newlines hidden input with encoded value
    Browser->Browser: document.getElementById(rx_no_newlines).value
    Browser->EncounterNote: printPaste2Parent inserts full prescription text into note
Loading

File-Level Changes

Change Details Files
Apply OWASP HTML attribute encoding to prescription text before embedding it in hidden inputs used for PDF faxing and encounter-note creation.
  • Replace raw EL interpolation of the full prescription string in the hidden rx field with Encode.forHtmlAttribute on the corresponding request attribute, including a null-safe toString fallback.
  • Replace raw EL interpolation of the newline-stripped prescription string in the hidden rx_no_newlines field with Encode.forHtmlAttribute on the corresponding request attribute, including a null-safe toString fallback.
  • Leave sibling hidden inputs (e.g., additNotes) unchanged, maintaining consistency with previous fixes that already encode pharmacy-related fields.
src/main/webapp/oscarRx/printRx/PreviewContent.jsp

Assessment against linked issues

Issue Objective Addressed Explanation
https://github.com/openo-beta/Open-O/issues/2482 Ensure faxed/printed prescriptions that contain double quotes in the drug name or instructions are no longer truncated at the first double quote.
https://github.com/openo-beta/Open-O/issues/2482 Ensure encounter/chart notes created from prescriptions (e.g., via "Add to encounter note") that contain double quotes in the drug name or instructions are no longer truncated at the first double quote.

Possibly linked issues

  • #2482: PR applies HTML-attribute encoding to prescription hidden inputs, preventing double quotes from truncating faxed and noted text.

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@LiamStanziani

Copy link
Copy Markdown
Collaborator Author

@SourceryAI review

@LiamStanziani

Copy link
Copy Markdown
Collaborator Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request improves security in PreviewContent.jsp by replacing direct EL expressions for the 'rx' and 'rx_no_newlines' hidden input fields with JSP scriptlets that HTML-attribute-encode the values using Encode.forHtmlAttribute(), thereby mitigating potential Cross-Site Scripting (XSS) vulnerabilities. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

In PreviewContent.jsp, two hidden form inputs (rx and rx_no_newlines) are updated to read prescription text values from servlet request attributes via request.getAttribute(...) with Encode.forHtmlAttribute(...) encoding and empty-string null fallbacks, replacing the previous JSP EL ${requestScope.*} expressions.

Changes

Prescription Hidden Input Source Fix

Layer / File(s) Summary
Hidden input value binding
src/main/webapp/oscarRx/printRx/PreviewContent.jsp
Hidden inputs rx and rx_no_newlines now read from request.getAttribute("strRx") and request.getAttribute("strRxNoNewLines") via Encode.forHtmlAttribute(...) with empty-string fallbacks, replacing ${requestScope.strRx} and ${requestScope.strRxNoNewLines}.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

  • D3V41

Poem

🐇 A tiny fix in a hidden field,
No EL expression, but getAttribute revealed!
Null becomes empty, safe and sound,
HTML-encoded, no XSS found.
The rabbit hops — two lines, all clear! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title directly addresses the core bug: double quotes breaking prescriptions. It accurately reflects the main change—fixing a critical data loss issue caused by unencoded quotes in HTML attributes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch bug/using-double-quotes-breaks-prescriptions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Consider applying the same Encode.forHtmlAttribute treatment to additNotes (and any other hidden inputs carrying user/content data) for consistency and to avoid similar truncation/escaping issues in other fields.
  • The new scriptlet-based encoding for strRx and strRxNoNewLines introduces mixed styles with the surrounding EL-based attributes; if possible, consolidating on a single approach (e.g., a custom EL function for attribute encoding) would keep the JSP more uniform and easier to maintain.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider applying the same `Encode.forHtmlAttribute` treatment to `additNotes` (and any other hidden inputs carrying user/content data) for consistency and to avoid similar truncation/escaping issues in other fields.
- The new scriptlet-based encoding for `strRx` and `strRxNoNewLines` introduces mixed styles with the surrounding EL-based attributes; if possible, consolidating on a single approach (e.g., a custom EL function for attribute encoding) would keep the JSP more uniform and easier to maintain.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/main/webapp/oscarRx/printRx/PreviewContent.jsp`:
- Line 321: The hidden input field with name attribute `additNotes` has the same
encoding vulnerability as the prescription text fields fixed at lines 319-320.
Apply the same encoding/escaping pattern to the `${requestScope.comment}` value
in the value attribute of the `additNotes` input element to ensure that double
quote characters and other special characters are properly escaped and do not
prematurely close the attribute value, which would cause data truncation when
the form is submitted.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: db558b97-65ef-49c1-a8ef-55201f17563b

📥 Commits

Reviewing files that changed from the base of the PR and between 5f49a01 and dc97842.

📒 Files selected for processing (1)
  • src/main/webapp/oscarRx/printRx/PreviewContent.jsp

Comment thread src/main/webapp/oscarRx/printRx/PreviewContent.jsp
@LiamStanziani LiamStanziani marked this pull request as ready for review June 23, 2026 19:35
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Using double quotes " breaks prescriptions

2 participants