A security update for the long-standing CDA style sheet is available from Lantana Consulting Group here.
This update addresses a potential vulnerability exposed by use of the style sheet in many current internet applications by preventing malicious insertion of executable code into the display instructions for non-XML clinical documents (allowed as the body in Consolidated CDA), illegal table attributes, and image URIs to potentially hostile sites.
- “Sanitizing” references in the nonXMLBody of a CDA document before passing it to an IFRAME.
- Removing table attributes such as “onmouseover” that are legal in XHTML but not allowed in CDA
- Allowing only local relative image URIs by default, but providing a parameter to the XSLT stylesheet to re-enable remote image support for those who need it.
Use of the style sheet is not required by any specification or conformance criteria, however, many people have found it a useful starting point for their own, local display requirements. We appreciate the action of the community to raise this issue and encourage all to continue to work to improve this utility.
The style sheet today is being maintained by Lantana and is freely available at https://www.lantanagroup.com/resources/free-tools/. Discussion is underway to move it to a community repository such as HL7 GForge to support collaboration as it continues to evolve and play an important role in supporting interoperability.