Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

ID

RM136

Version1.0.0
TypeRoadmap Item


Title

e-Referral Service (e-RS) HTML Attachments

Description

Disallow HTML attachments from being uploaded to e-RS

Date Added

 

Standards and Capabilities
Change Route

Managed Capacity - Minor/Patch uplifts

Change Type

Uplift

Status

Draft

Publication Date 
Effective Date

 

Incentives / Funding

No

Incentive Dates

N/A


Background

The e-RS programme team enabled access of e-RS over the internet in 2021. As part of this project, we carried out a review of the Open Web Application Security Project (OWASP) standards and identified a number of risks which require mitigation. One of these risks is relating to HTML files and the security risk they pose (as dynamic content could be included within a HTML file, which could be turned into an attack vector).


Outline Plan

Disallowing HTML – e-RS will no longer accept files attached as .HTML or .HTM from June 2022, therefore it would be prudent to reject HTML uploads earlier in the process as to not get rejected by e-RS.

Also for information, relating to future e-RS attachment developments, we are making suppliers aware that new FHIR4 APIs will be available in future, which will allow uploading and downloading of 100MB attachments, should suppliers wish to provide this integrated capability for their users.


Summary of Change

The uploading of HTML files will be disallowed (note that existing HTML files will still be downloadable). 

GP System Suppliers will need to ensure descriptive error message handling informs the user that these files are not allowed; and ensure any documentation/screens detailing allowed/disallowed file types presented to the user are updated.

It may be prudent to reject HTML uploads earlier in the process as to not get rejected by e-RS.

The e-RS specification has been updated to disallow .HTML and .HTM files from being uploaded to e-RS. Within the GPIT Futures Standards and Capabilities Model, the eRS Interoperability Standard will be updated with the latest specification.



Assurance Approach

The supplier solution to meet the updated specification and provide a statement to notify the e-RS team that .HTML and .HTM are now a disallowed file type.


  • No labels