[imaging_browser] Escape the header table in view session page

[driusan]

The header table in the imaging_browser viewSession page is generated
by smarty, but the variables are not properly escaped. This adds the
|escape filter to all the outputs to fix reflected XSS attacks on that page.
(In particular, the outputType which comes from the URL, but all variables
are HTML escaped in this PR just to be on the safe side.)

[ridz1208]

@driusan approved in theory, but I'm curious to know from @jesscall or @cmadjar if this affects functionality in any way.

[driusan]

It shouldn't, DoB/Sex/QC Status/Visit Label/etc shouldn't have any HTML in them, but I'll wait for confirmation before merging..

[driusan]

@jesscall @cmadjar can you confirm that this isn't going to break anything?

[jesscall]

Looks good

I agree with @driusan, there shouldn't be any HTML in these vars. Curious to know however what would happen if there is a special character in any of the variables (& " ' < > *). For example, the scanner name is not set by us / a developer.

Is there an example on RB somewhere of the outputType being set? I'm not familiar where that comes from and would be interested in testing that aspect based on this comment:

to fix reflected XSS attacks on that page.
(In particular, the outputType which comes from the URL

[driusan]

The outputType comes from the URL, that's why this is a security problem that needs to be fixed.

[jesscall]

@driusan yes, but from what I've seen outputType in the header table is always empty. In what case is a value actually displayed from the URL? What does it correspond to ?

[jesscall]

NVM, realized if you choose anything other than all types on imaging browser it is filled out (defaced, native)