Skip to content

Update narrative sanitizer for potentially dangerous content#5468

Closed
feordin wants to merge 2 commits intomainfrom
user/jaerwin/html-narrative
Closed

Update narrative sanitizer for potentially dangerous content#5468
feordin wants to merge 2 commits intomainfrom
user/jaerwin/html-narrative

Conversation

@feordin
Copy link
Copy Markdown
Contributor

@feordin feordin commented Mar 27, 2026
edited
Loading

Description

Improves checking the FHIR resource narrative for potentially dangerous content.
The following types of links inside an href property will be considered 'active' content, and not allowed:
"javascript:",
"vbscript:",
"data:",
"livescript:",
"file:",
"blob:",
"ftp:",
"ms-its:",
"mhtml:",
"jar:",
Any FHIR resource with these as part of an href property in the narrative will not pass validation and be rejected by the service.

Related issues

Addresses [issue AB#186387].

Testing

Additional unit tests were added. Manually tried US Core 6.1.0 to ensure no regression in loading the IG.

FHIR Team Checklist

  • Update the title of the PR to be succinct and less than 65 characters
  • Add a milestone to the PR for the sprint that it is merged (i.e. add S47)
  • Tag the PR with the type of update: Bug, Build, Dependencies, Enhancement, New-Feature or Documentation
  • Tag the PR with Open source, Azure API for FHIR (CosmosDB or common code) or Azure Healthcare APIs (SQL or common code) to specify where this change is intended to be released.
  • Tag the PR with Schema Version backward compatible or Schema Version backward incompatible or Schema Version unchanged if this adds or updates Sql script which is/is not backward compatible with the code.
  • When changing or adding behavior, if your code modifies the system design or changes design assumptions, please create and include an ADR.
  • CI is green before merge Build Status
  • Review squash-merge requirements

Semver Change (docs)

Patch|Skip|Feature|Breaking (reason)

@feordin feordin added this to the CY25Q3/2Wk20 milestone Mar 27, 2026
@feordin feordin requested a review from a team as a code owner March 27, 2026 19:50
@feordin feordin added Bug-Security Security related bugs. Priority-Soon There is a workaround but painful. Need to be fixed within the current milestone. Azure API for FHIR Label denotes that the issue or PR is relevant to the Azure API for FHIR Azure Healthcare APIs Label denotes that the issue or PR is relevant to the FHIR service in the Azure Healthcare APIs Schema Version unchanged No-ADR ADR not needed labels Mar 27, 2026
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 27, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@5350419). Learn more about missing BASE report.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #5468   +/-   ##
=======================================
  Coverage        ?   76.90%           
=======================================
  Files           ?      976           
  Lines           ?    35614           
  Branches        ?     5355           
=======================================
  Hits            ?    27388           
  Misses          ?     6894           
  Partials        ?     1332
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@feordin feordin added the PaaS-breaking-change Add this label if your changes will require additional changes in PaaS repos to be complete label Mar 31, 2026
@jestradaMS jestradaMS added KI-Breaking This is a known issue that causes a breaking change and removed PaaS-breaking-change Add this label if your changes will require additional changes in PaaS repos to be complete labels Apr 6, 2026
@apurvabhaleMS apurvabhaleMS added the Blocked The issue is blocked. label Apr 6, 2026
@apurvabhaleMS apurvabhaleMS self-requested a review April 6, 2026 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apurvabhaleMS apurvabhaleMS Awaiting requested review from apurvabhaleMS

Assignees

No one assigned

Labels

Azure API for FHIR Label denotes that the issue or PR is relevant to the Azure API for FHIR Azure Healthcare APIs Label denotes that the issue or PR is relevant to the FHIR service in the Azure Healthcare APIs Blocked The issue is blocked. Bug-Security Security related bugs. KI-Breaking This is a known issue that causes a breaking change No-ADR ADR not needed Priority-Soon There is a workaround but painful. Need to be fixed within the current milestone. Schema Version unchanged

Projects

None yet

Milestone

CY25Q3/2Wk20

Development

Successfully merging this pull request may close these issues.

4 participants

@feordin @codecov-commenter @apurvabhaleMS @jestradaMS