Rest Secure

A security update for the long-standing CDA style sheet is available from Lantana Consulting Group here.

This update addresses a potential vulnerability exposed by use of the style sheet in many current internet applications by preventing malicious insertion of executable code into the display instructions for non-XML clinical documents (allowed as the body in Consolidated CDA), illegal table attributes, and image URIs to potentially hostile sites.

Back when the style sheet was developed and as it evolved through community efforts, browser support for XSLT stylesheets was not commonly seen as a potential source of vulnerabilities, and JavaScript support was not as consistent or pervasive as it is today. Now that these are no longer safe assumptions, we have responded to the potential threat by making the following security enhancements:

  • “Sanitizing” references in the nonXMLBody of a CDA document before passing it to an IFRAME.
  • Removing table attributes such as “onmouseover” that are legal in XHTML but not allowed in CDA
  • Allowing only local relative image URIs by default, but providing a parameter to the XSLT stylesheet to re-enable remote image support for those who need it.

Use of the style sheet is not required by any specification or conformance criteria, however, many people have found it a useful starting point for their own, local display requirements. We appreciate the action of the community to raise this issue and encourage all to continue to work to improve this utility.

The style sheet updates are not intended as a replacement for other security measures. Recipients should load CDA documents from trusted sources, validate them against both the CDA.xsd schema and appropriate Schematron schemas, scan XML files for potential JavaScript insertion before accepting them from 3rd parties, and stay current with best security practice. The vulnerabilities in the XSLT style sheet are only possible when other security measures are lax.

The style sheet today is being maintained by Lantana and is freely available at Discussion is underway to move it to a community repository such as HL7 GForge to support collaboration as it continues to evolve and play an important role in supporting interoperability.