escapeJs vulnerable to XSS

api/src/main/java/org/openmrs/ui/framework/UiUtils.java

@@ -477,7 +477,10 @@ public String escapeJs(String input) {
 		if (input == null) {
 			return null;
 		}
+
+		input = input.replaceAll("\\\\", "\\\\\\\\");
 		input = input.replaceAll("\n", "\\\\n");
+		input = input.replaceAll("\r", "\\\\r");
 		input = input.replaceAll("'", "\\\\'");
 		input = input.replaceAll("\"", "\\\\\"");
 		return input;
@@ -683,11 +686,11 @@ public String getClientTimezone() {
 	public void setClientTimezone(String clientTimezone) {
 		try {
 			Context.addProxyPrivilege(PrivilegeConstants.EDIT_USERS);
-
+			
 			String propertyName = Context.getAdministrationService()
-					.getGlobalProperty(UiFrameworkConstants.UP_CLIENT_TIMEZONE);
+			        .getGlobalProperty(UiFrameworkConstants.UP_CLIENT_TIMEZONE);
 			String currentClientTimezone = Context.getAuthenticatedUser().getUserProperty(propertyName);
-
+			
 			if (currentClientTimezone == null || !currentClientTimezone.equals(clientTimezone)) {
 				Context.getUserService().setUserProperty(Context.getAuthenticatedUser(), propertyName, clientTimezone);
 			}

api/src/test/java/org/openmrs/ui/framework/UiUtilsTest.java

@@ -122,4 +122,26 @@ public void urlBind_shouldProperlyBindPatientAndVisit() {
 
 	}
 
+	@Test
+	public void escapeJs_shouldEscapeBackslash() {
+		Assert.assertEquals("Foo \\\\", ui.escapeJs("Foo \\"));
+	}
+
+	@Test
+	public void escapeJs_shouldPreventXSSViaBackslashInjection() {
+		// exact payload from the bug report
+		String result = ui.escapeJs("Foo \\\"}];alert(0);[// Bar");
+		Assert.assertTrue(result.contains("\\\\")); // backslash must be doubled
+	}
+
+	@Test
+	public void escapeJs_shouldEscapeDoubleQuote() {
+		Assert.assertEquals("say \\\"hi\\\"", ui.escapeJs("say \"hi\""));
+	}
+
+	@Test
+	public void escapeJs_shouldReturnNullForNullInput() {
+		Assert.assertNull(ui.escapeJs(null));
+	}
+
 }