We’ve identified several potential security issues that arise from allowing the use of HTML characters (i.e.
") in relationship type names.
One proposed fix prevents relationship types with these characters from ever being created in the first place: RA-1865: Patch bugs discovered by NCSU team by Parth59 · Pull Request #3708 · openmrs/openmrs-core · GitHub
I just wanted to see if anyone can think of a situation in which HTML characters are required when defining relationship types? If so we’ll have to figure out another way to patch this issue.
@grace is this something we could devote a few minutes to discussing at the TAC call this Friday?