A potential security vulnerability to the long-standing CDA® (Clinical Document Architecture) style sheet was recently raised and the community took quick action to update the style sheet and address each issue.
This update addresses a potential vulnerability exposed by use of the style sheet in many current internet applications by preventing malicious insertion of executable code into the display instructions for non-XML (Extensible Markup Language) clinical documents (allowed as the body in Consolidated CDA), illegal table attributes, and image URIs (uniform resource indicators) to potentially hostile sites.
“Sanitizing” references in the nonXMLBody of a CDA document before passing it to an IFRAME.
Removing table attributes such as “onmouseover” that are legal in XHTML but not allowed in CDA
Allowing only local relative image URIs by default, but providing a parameter to the XSLT stylesheet to re-enable remote image support for those who need it.
The updated style sheet is available here http://gforge.hl7.org/gf/project/strucdoc/frs/?action=index.
We appreciate the action of the community to raise this issue and encourage all to continue to work to improve this utility. Special thanks to Lantana Consulting Group for working tirelessly to address these concerns quickly and efficiently.
Last modified 21/05/14