UserListItem Name Fields

I am trying to set the Family, Given, and Middle names for a UserListItem that appears in a search popup in the legacy-ui (on the Manage Alerts page pictured below).

image1838×454 87.3 KB

The DWRUserService is using the findUsers and getAllUsers methods to return lists of UserListItems that are used to populate the popup as seen in the network traffic in the image above.

Since the UserListItem object does not have attributes for Family, Given, or Middle names, I am wondering how to set these values before it is sent to the UI. (Or, I am wondering how the application is able to get these values before they are given to the UI.)

I have done some digging and see where I might be able to get the information from a user using something like: user.getPerson().getPersonName().

However, I am hoping to do HTML sanitization on these values, so I don’t know that it is a good idea to directly sanitize the values in the PersonName object for this user rather than somehow sanitizing the values in the UserListItem object.

Could someone help me out with this?@herbert24 @isears

The data you are looking for is displayed with help of a widget and the widget Id is passed checkout these two lines openmrs-module-legacyui/alertForm.jsp at cf00ec9c92f815ed5976c1541d8286014d6e99dc · openmrs/openmrs-module-legacyui · GitHub and openmrs-module-legacyui/alertForm.jsp at cf00ec9c92f815ed5976c1541d8286014d6e99dc · openmrs/openmrs-module-legacyui · GitHub

Yes, I agree with this. One option is to create a new DWR function in the DWRUserService (something like getAllUsersSafe() that just returns short-lived copies of the real user objects, but with usernames and person names that have been html-encoded. Then the .jsps that @herbert24 pointed out would have to be edited to call getAllUsersSafe() instead of getAllUsers(). It’s going to be a slightly heavier lift than the typical XSS patch, but we can talk through how to go about that in more detail at the next security sync meeting.