From ae3b6980d9526500d390e1813d9fc22b0a1ed8d1 Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Mon, 22 Jun 2026 15:27:15 -0600
Subject: [PATCH] Fix stored XSS in billing notification charge summary report

The per-financial-analyst tables in BillingNotification.createChargeSummaryReport interpolated editor-entered database values (investigator, project, debitedAccount, projectNumber, category) and their derived URLs directly into HTML without escaping. This HTML is rendered verbatim into the LDK RunNotificationAction admin preview via HtmlString.unsafe and is also sent as the HTML email body, so a stored payload in any of those project/alias fields executed in the browser of any user who previewed the notification or received the email. Wrap every tainted value with PageFlowUtil.filter, applying the same encoding the adjacent Charge Summary category table already used.
---
 .../notification/BillingNotification.java          | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ehr_billing/src/org/labkey/ehr_billing/notification/BillingNotification.java b/ehr_billing/src/org/labkey/ehr_billing/notification/BillingNotification.java
index fdde62318..feb5edd73 100644
--- a/ehr_billing/src/org/labkey/ehr_billing/notification/BillingNotification.java
+++ b/ehr_billing/src/org/labkey/ehr_billing/notification/BillingNotification.java
@@ -464,8 +464,8 @@ protected void createChargeSummaryReport(final StringBuilder msg, Date lastInvoi
 
                     String baseUrl = createURL(containerMap.get(category), centerSpecificBillingSchema, categoryToQuery.get(category), null) + "&query.param.StartDate=" + getDateFormat(c).format(start.getTime()) + "&query.param.EndDate=" + getDateFormat(c).format(endDate.getTime());
                     String projUrl = baseUrl + ("None".equals(tokens[1]) ? "&query.project~isblank" : "&query.project~eq=" + tokens[1]);
-                    msg.append("<tr><td>" + financialAnalyst + "</td>");    //the FA
-                    msg.append("<td><a href='" + projUrl + "'>" + tokens[1] + "</a></td>");
+                    msg.append("<tr><td>" + PageFlowUtil.filter(financialAnalyst) + "</td>");    //the FA
+                    msg.append("<td><a href='" + PageFlowUtil.filter(projUrl) + "'>" + PageFlowUtil.filter(tokens[1]) + "</a></td>");
 
                     String accountUrl = null;
                     Container financeContainer = EHR_BillingManager.get().getBillingContainer(containerMap.get(category));
@@ -476,22 +476,22 @@ protected void createChargeSummaryReport(final StringBuilder msg, Date lastInvoi
 
                     if (accountUrl != null)
                     {
-                        msg.append("<td><a href='" + accountUrl + "'>" + tokens[2] + "</a></td>");
+                        msg.append("<td><a href='" + PageFlowUtil.filter(accountUrl) + "'>" + PageFlowUtil.filter(tokens[2]) + "</a></td>");
                     }
                     else
                     {
-                        msg.append("<td>" + (tokens[2]) + "</td>");
+                        msg.append("<td>" + PageFlowUtil.filter(tokens[2]) + "</td>");
                     }
 
-                    msg.append("<td>" + (tokens[3]) + "</td>");
-                    msg.append("<td>" + category + "</td>");
+                    msg.append("<td>" + PageFlowUtil.filter(tokens[3]) + "</td>");
+                    msg.append("<td>" + PageFlowUtil.filter(category) + "</td>");
 
                     for (FieldDescriptor fd : foundCols)
                     {
                         if (totals.containsKey(fd.getFieldName()))
                         {
                             String url = projUrl + fd.getFilter();
-                            msg.append("<td" + (fd.isShouldHighlight() ? " style='background-color: yellow;'" : "") + "><a href='" + url + "'>" + totals.get(fd.getFieldName()) + "</a></td>");
+                            msg.append("<td" + (fd.isShouldHighlight() ? " style='background-color: yellow;'" : "") + "><a href='" + PageFlowUtil.filter(url) + "'>" + totals.get(fd.getFieldName()) + "</a></td>");
                         }
                         else
                         {