Fix: resolve JavaScript/Java errors in oscarRx prescription module (Search Drug3, ShowAllergies2, StaticScript, SideLinks, RxSearchAllergy2Form)

[LiamStanziani]

In this PR, I have fixed:

1. SearchDrug3.jsp - Extra orphan } causing malformed Medications page

File: src/main/webapp/oscarRx/SearchDrug3.jsp
Issue: Extra } at line 1237 broke JS parsing, causing iterateStash is not defined
Fix: Removed the orphan brace

---

2. SideLinksNoEditFavorites.jsp - Self-closing script tag (no breaking changes, but could cause issues in the future with modifications to the JSP pages)

File: src/main/webapp/oscarRx/SideLinksNoEditFavorites.jsp (line 81)
Issue: <script ... /> is invalid HTML5
Fix: Changed to <script ...></script>

---

3. SideLinksNoEditFavorites2.jsp - Self-closing script tag (no breaking changes, but could cause issues in the future with modifications to the JSP pages)

File: src/main/webapp/oscarRx/SideLinksNoEditFavorites2.jsp (line 82)
Issue: <script ... /> is invalid HTML5
Fix: Changed to <script ...></script> (didn't break the pages, but could cause issues in the future if the surrounding scripts are modified)

---

4. StaticScript2.jsp - Malformed script tags (no breaking changes, but could cause issues in the future with modifications to the JSP pages)

File: src/main/webapp/oscarRx/StaticScript2.jsp (lines 131-134)
Issue: Broken script tag syntax
Fix: Corrected to proper <script ...></script> format

---

5. StaticScript2.jsp, StaticScript.jsp, WriteScript.jsp - Null check for prompt

Files: Multiple files with addFavorite function
Issue: window.prompt() returns null when cancelled, causing .length error, doesn't break the page but will output the error
Fix: Added null check: if (favoriteName !== null && favoriteName.length > 0)

---

6. SideLinksEditFavorites2.jsp - Missing useFav2 function

File: src/main/webapp/oscarRx/SideLinksEditFavorites2.jsp
Issue: useFav2 is not defined when clicking favorites in ShowAllergies2.jsp
Fix: Added the useFav2() function with comment explaining its purpose

---

7. ShowAllergies2.jsp - toggleSection not defined

File: src/main/webapp/oscarRx/ShowAllergies2.jsp
Issue: Function was defined as jQuery plugin inside $(document).ready(), not accessible to AJAX-loaded content
Fix:

• Added global toggleSection() function outside $(document).ready()
• Removed conflicting jQuery click handler that caused double-toggling

---

Java Fixes

8. RxSearchAllergy2Form.java - JSON parsing error

File: src/main/java/ca/openosp/openo/prescript/pageUtil/RxSearchAllergy2Form.java
Issue: Failed to parse JSON to POJO - unrecognized field reactionDescription due to having different JSON structures between the add allergies and search allergies functionality (having both open at the same time will fail)
Fix: Added @JsonIgnoreProperties(ignoreUnknown = true) annotation and import

---

Additional fixes after first PR state:

1. XML Parsing Errors on AJAX responses

• Files: RxHideCpp2Action.java, RxReorder2Action.java
• Problem: Browser displayed "XML Parsing Error: syntax error" when toggling the "Hide from CPP" checkbox or reordering drugs
• Cause: Actions were returning plain text "ok" without setting the response content type, causing browsers to interpret the response as XML
• Fix: Added response.setContentType("text/plain") and response.setCharacterEncoding("UTF-8") before writing the response

2. 400 Errors on Longterm/Acute filter options

• File: SearchDrug3.jsp
• Problem: Clicking "Longterm/Acute" or "Longterm/Acute/Inactive/External" filter options resulted in 400 Bad Request errors
• Cause: The callAdditionWebService() function was missing the context path prefix that callReplacementWebService() had, causing requests to invalid URLs
• Fix: Added context path logic to callAdditionWebService() to match the pattern used in callReplacementWebService()

3. JavaScript TypeError on filter options

• File: ListDrugs.jsp
• Problem: "Uncaught TypeError: can't access property 'addEventListener', element is null" when using Longterm/Acute/Inactive/External filter
• Cause: Event.observe() was called directly on element IDs without checking if the element exists; when multiple AJAX calls load filtered drug lists,
  some entries may not be present
• Fix: Wrapped the event observer in a null check to only attach the listener when the element exists

4. Reveresed "Exact" and "Any" searching options, defaulted the new "Exact" to be the first option, and set as checked by default

I have tested this by:

• Testing the Rx functionality (for community drugref testing)

Summary by Sourcery

Fix JavaScript and JSON parsing issues in the oscarRx prescription module to restore allergy search behavior and favorites handling without runtime errors.

Bug Fixes:

• Restore allergy search result toggling in ShowAllergies2.jsp by introducing a globally accessible toggleSection handler and removing the conflicting jQuery click binding.
• Fix missing favorites handler on the allergies page by defining useFav2 in SideLinksEditFavorites2.jsp.
• Prevent JavaScript errors when cancelling favorites prompts by adding null checks around window.prompt results in StaticScript.jsp, StaticScript2.jsp, and WriteScript.jsp.
• Correct malformed and self-closing script tags in StaticScript2.jsp and the SideLinksNoEditFavorites JSPs so required JavaScript assets load reliably.
• Resolve a stray brace in SearchDrug3.jsp that caused script parsing issues on the Medications page.
• Harden RxSearchAllergy2Form JSON deserialization to ignore unknown fields, avoiding parsing failures when extra reaction-related fields are present in the submitted form.

Enhancements:

• Add explanatory documentation to RxSearchAllergy2Form and related JSPs to clarify interaction between allergy search forms, AJAX-loaded content, and server-side parsing expectations.

---

Summary by cubic

Fixes multiple JavaScript errors and malformed script tags in the oscarRx prescription module, restoring allergy search toggling and favorites without console errors. Also hardens JSON parsing, prevents an NPE in ChooseDrug.jsp when drugref returns null, and removes 404s/undefined errors in Rx filters.

• Bug Fixes
  • SearchDrug3.jsp: removed orphan brace that broke JS parsing; prefixed Ajax URLs with context path to prevent 404s in Longterm/Acute filters; aligned Exact/Any search default with production.
  • ShowAllergies2.jsp: added global toggleSection for AJAX-loaded results; removed conflicting click handler.
  • SideLinksEditFavorites2.jsp: added missing useFav2 (with encoded favorite ID) to enable favorites from the allergies page.
  • StaticScript.jsp, StaticScript2.jsp, WriteScript.jsp: added null checks for window.prompt to prevent errors on cancel.
  • SideLinksNoEditFavorites.jsp/2 and StaticScript2.jsp: fixed invalid/self-closing script tags.
  • RxSearchAllergy2Form.java: added @JsonIgnoreProperties(ignoreUnknown = true) to avoid JSON parsing errors from extra fields.
  • ChooseDrug.jsp: guarded against null drugSearch to avoid NullPointerException when drugref is unavailable or returns no results.
  • RxHideCpp2Action.java / RxReorder2Action.java: return UTF-8 plain text responses to prevent XML parsing errors; ListDrugs.jsp: guarded checkbox event binding to avoid undefined errors when elements are missing.

^{Written for commit 69299d5. Summary will update on new commits.}

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved error handling when drug reference service is unavailable
  • Added null-safety checks for user prompts to prevent crashes when canceled
  • Fixed script tag syntax errors to ensure proper resource loading
  • Added guards against missing UI elements to prevent runtime errors

• New Features

  • Added expand/collapse toggle functionality for allergy search results
  • Added quick navigation to drug search using saved favorites

• Improvements

  • Adjusted wildcard search options default behavior
  • Enhanced response handling for better data formatting

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[sourcery-ai]

Reviewer's Guide

Fixes multiple JavaScript runtime issues and HTML/script tag malformations in oscarRx JSPs, and hardens JSON deserialization for allergy search, to restore favorites and allergy search behavior without console or server errors.

Sequence diagram for allergy search JSON handling with RxSearchAllergy2Form

sequenceDiagram
    actor User
    participant Browser
    participant ShowAllergies2_jsp
    participant RxSearchAllergy2Action
    participant JacksonObjectMapper
    participant RxSearchAllergy2Form

    User->>Browser: Fill and submit allergy search form
    Browser->>ShowAllergies2_jsp: POST serialized form data
    ShowAllergies2_jsp->>RxSearchAllergy2Action: Forward request with JSON payload
    RxSearchAllergy2Action->>JacksonObjectMapper: Map JSON to RxSearchAllergy2Form
    JacksonObjectMapper->>RxSearchAllergy2Form: Populate known fields (searchString, etc.)
    JacksonObjectMapper-->>RxSearchAllergy2Action: Ignore unknown fields due to JsonIgnoreProperties_ignoreUnknown_true
    RxSearchAllergy2Action->>RxSearchAllergy2Action: Execute allergy search
    RxSearchAllergy2Action-->>ShowAllergies2_jsp: Return search results model
    ShowAllergies2_jsp-->>Browser: Render allergy search results

Loading

Sequence diagram for global toggleSection in allergy search results

sequenceDiagram
    actor User
    participant Browser
    participant ShowAllergies2_jsp
    participant ChooseAllergy2_jsp
    participant toggleSection

    User->>Browser: Click expander icon in allergy results
    Browser->>ChooseAllergy2_jsp: Trigger onclick handler on anchor
    ChooseAllergy2_jsp->>toggleSection: Call toggleSection(typecode)
    toggleSection->>toggleSection: Lookup typecode_img and typecode_content elements
    alt Expander_icon_shows_expander
        toggleSection->>Browser: Set image src to collapser and display content block
    else Expander_icon_shows_collapser
        toggleSection->>Browser: Set image src to expander and hide content block
    end

Loading

Sequence diagram for useFav2 favorites navigation from allergies page

sequenceDiagram
    actor User
    participant Browser
    participant ShowAllergies2_jsp
    participant SideLinksEditFavorites2_jsp
    participant SearchDrug3_jsp

    User->>Browser: Click favorite in allergies sidebar
    Browser->>SideLinksEditFavorites2_jsp: Execute onclick handler
    SideLinksEditFavorites2_jsp->>Browser: Call useFav2(favoriteId)
    Browser->>Browser: useFav2 sets location href to SearchDrug3_jsp with usefav and favid
    Browser->>SearchDrug3_jsp: Navigate to SearchDrug3.jsp?usefav=true&favid=favoriteId
    SearchDrug3_jsp->>SearchDrug3_jsp: Load page and stage selected favorite
    SearchDrug3_jsp-->>Browser: Render medications page with staged favorite

Loading

Updated class diagram for RxSearchAllergy2Form JSON handling

classDiagram
    class RxSearchAllergy2Form {
        <<JsonIgnoreProperties_ignoreUnknown_true>>
        -searchString : String
    }

Loading

File-Level Changes

Change	Details	Files
Restore allergy search section toggling by making the toggle handler globally accessible and simplifying the click logic.	Add a global plain-JS toggleSection(typecode) function that swaps expander/collapser icons and toggles the associated content block Remove the jQuery click-binding implementation that duplicated toggle logic and conflicted with AJAX-loaded content, documenting that toggling is now driven via onclick in the AJAX markup	src/main/webapp/oscarRx/ShowAllergies2.jsp
Prevent JSON parsing failures for allergy search requests when extra fields are present in the serialized form.	Import JsonIgnoreProperties from Jackson annotations Annotate the RxSearchAllergy2Form class with @JsonIgnoreProperties(ignoreUnknown = true) and document that it is required because the search form may include nested AddReaction2.jsp fields such as reactionDescription and ID	src/main/java/ca/openosp/openo/prescript/pageUtil/RxSearchAllergy2Form.java
Ensure the allergies favorites sidebar can invoke the existing favorite-staging flow used by the medications page.	Add a small inline script defining useFav2(favoriteId) that redirects to SearchDrug3.jsp with usefav=true and the selected favorite ID Document that this function mirrors the implementation in SearchDrug3.jsp and is required by ShowAllergies2.jsp favorite staging	src/main/webapp/oscarRx/SideLinksEditFavorites2.jsp
Fix malformed and self-closing script tags so core JS libraries load reliably.	Convert invalid self-closing script tags that referenced Oscar.js into proper <script>...</script> tags in the non-edit favorites sidebars Correct malformed script tag syntax for prototype.js and scriptaculous.js, removing stray closing fragments and using standard opening/closing tags	src/main/webapp/oscarRx/SideLinksNoEditFavorites.jsp src/main/webapp/oscarRx/SideLinksNoEditFavorites2.jsp src/main/webapp/oscarRx/StaticScript2.jsp
Prevent JavaScript errors when users cancel the favorites name prompt across Rx pages.	Update addFavorite2 in StaticScript2.jsp to guard on favoriteName !== null before checking favoriteName.length and logging the favorite-add URL Update favorites-creation logic in StaticScript.jsp and WriteScript.jsp to include a null check before length and redirect operations so canceling the prompt does nothing silently	src/main/webapp/oscarRx/StaticScript2.jsp src/main/webapp/oscarRx/StaticScript.jsp src/main/webapp/oscarRx/WriteScript.jsp
Fix a malformed function block that broke JavaScript parsing on the Medications page.	Remove an orphan closing brace following renderRxStage() that caused the following function declaration (checkboxRevertStatus) to be syntactically invalid and led to runtime errors like iterateStash is not defined	src/main/webapp/oscarRx/SearchDrug3.jsp

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This pull request introduces null-safety checks, HTTP response metadata configuration, and JavaScript enhancements across backend Java classes and JSP frontend files. Changes include Jackson annotation support for JSON deserialization, explicit HTTP response headers in action classes, defensive programming patterns in drug search and allergy pages, and corrections to script tag syntax and event handling.

Changes

Cohort / File(s)	Summary
Form Bean Jackson Support src/main/java/ca/openosp/openo/prescript/pageUtil/RxSearchAllergy2Form.java	Added @JsonIgnoreProperties(ignoreUnknown = true) annotation to enable graceful handling of unknown fields during JSON deserialization
HTTP Response Configuration src/main/java/ca/openosp/openo/prescript/web/RxHideCpp2Action.java, RxReorder2Action.java	Sets explicit HTTP response content type to text/plain and character encoding to UTF-8 before writing response body
Drug Search Null-Safety src/main/webapp/oscarRx/ChooseDrug.jsp, ListDrugs.jsp, SearchDrug3.jsp	Adds defensive null checks and empty default collections for drugSearch; refactors event binding with element existence guards; adjusts wildcard search defaults and normalizes context path in URL handling
Allergy Display Enhancements src/main/webapp/oscarRx/ShowAllergies2.jsp	Introduces global toggleSection() function to handle expanding/collapsing AJAX-loaded allergy search results via DOM manipulation instead of inline event handlers
Favorite Management Functions src/main/webapp/oscarRx/SideLinksEditFavorites2.jsp, SideLinksNoEditFavorites.jsp, SideLinksNoEditFavorites2.jsp	Adds useFav2() function for favorite selection navigation; fixes script tag syntax errors (converts self-closing tags to proper opening/closing pairs)
Script Tag Fixes & Input Validation src/main/webapp/oscarRx/StaticScript.jsp, StaticScript2.jsp, WriteScript.jsp	Corrects malformed script tag markup; adds null checks for prompt() return values in addFavorite to prevent errors when user cancels dialog

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• yingbull

Poem

🐰 With null checks deployed and scripts made whole,
Your forms now ignore what they don't control,
Headers shine bright in responses true,
And allergies toggle—a feature anew!
Safe from the nulls, your code hops along,
Each fix makes your web app steadfast and strong!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly matches the main changes: it lists the primary files modified (SearchDrug3, ShowAllergies2, StaticScript, SideLinks, RxSearchAllergy2Form) and accurately describes the primary intent of fixing JavaScript/Java errors in the oscarRx prescription module.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 9 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The new global toggleSection and useFav2 helpers are now defined inline in individual JSPs; consider centralizing these in a shared JS asset (e.g., Oscar/global scripts) to avoid duplication and keep behavior consistent across pages.
• The toggleSection logic still relies on checking img.src.indexOf('expander') to determine state; if you touch this again, it may be more robust to use a data attribute or a CSS class toggle rather than depending on filename substrings.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new global `toggleSection` and `useFav2` helpers are now defined inline in individual JSPs; consider centralizing these in a shared JS asset (e.g., Oscar/global scripts) to avoid duplication and keep behavior consistent across pages.
- The `toggleSection` logic still relies on checking `img.src.indexOf('expander')` to determine state; if you touch this again, it may be more robust to use a data attribute or a CSS class toggle rather than depending on filename substrings.

## Individual Comments

### Comment 1
<location> `src/main/webapp/oscarRx/SideLinksEditFavorites2.jsp:158-160` </location>
<code_context>
+<script type="text/javascript">
+    // Pulled from function in SearchDrug3.jsp - function needs to be defined here
+    // for ShowAllergies2.jsp for favorite staging in allergies page
+    function useFav2(favoriteId) {
+        location.href = "<%= request.getContextPath() %>/oscarRx/SearchDrug3.jsp?usefav=true&favid=" + favoriteId;
+    }
+</script>
</code_context>

<issue_to_address>
**suggestion (bug_risk):** URL-encode `favoriteId` when building the navigation URL.

If `favoriteId` ever includes non-numeric or special characters, concatenating it directly into the query string can produce malformed URLs or unexpected behavior. Use `encodeURIComponent(favoriteId)` when building the URL to ensure the value is safely encoded.

```suggestion
    function useFav2(favoriteId) {
        location.href = "<%= request.getContextPath() %>/oscarRx/SearchDrug3.jsp?usefav=true&favid=" + encodeURIComponent(favoriteId);
    }
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[claude]

Code Review - CLAUDE.md Compliance Issues

I found 2 issues that need to be addressed:

1. Missing @since tag in JavaDoc

File: src/main/java/ca/openosp/openo/prescript/pageUtil/RxSearchAllergy2Form.java (line 39)

According to CLAUDE.md, all JavaDoc must include @since tags:

@SInCE Tags: Use git history to determine accurate dates: git log --follow --format="%ai" <file> | tail -1

The file was created on 2026-01-23, so the JavaDoc should include @since 2026-01-23 before the closing */.

---

2. PR targets staging instead of develop

According to CLAUDE.md, PRs must target the develop branch:

✅ Target develop branch (not main)

This PR currently targets staging, which is not mentioned in CLAUDE.md as a valid target branch. Please retarget this PR to develop.

---

Note: The code changes themselves are excellent - the JavaScript fixes are well-documented and address real runtime errors. These are just documentation/process issues that need to be addressed to meet project standards.

[LiamStanziani]

@claude review

[claude]

Claude finished @LiamStanziani's task in 2m 21s —— View job

---

Code Review Complete ✅

Todo List:

• Read all 10 changed files
• Review against CLAUDE.md security requirements
• Check JavaScript code quality and best practices
• Review Java code for OpenO patterns
• Verify previous review feedback was addressed
• Compile and post comprehensive review

---

Summary

This PR successfully fixes multiple JavaScript runtime errors and JSON parsing issues in the oscarRx prescription module. The changes are well-documented and address real bugs that would impact user experience. I found 3 critical issues and 2 minor suggestions that need attention before merging.

✅ What's Working Well

1. Excellent Bug Fixes: All 8 bug fixes are legitimate and well-explained
2. Good Documentation: Code comments explain the reasoning behind changes
3. Security Compliance: Proper use of encodeURIComponent() for URL parameters
4. Defensive Programming: Null checks prevent runtime errors
5. Sourcery Feedback Addressed: The encodeURIComponent(favoriteId) fix was properly implemented

❌ Critical Issues

1. Missing @since Tag in JavaDoc (CLAUDE.md Violation)

File: src/main/java/ca/openosp/openo/prescript/pageUtil/RxSearchAllergy2Form.java:39

According to CLAUDE.md Documentation Standards:

@SInCE Tags: Use git history to determine accurate dates: git log --follow --format="%ai" <file> | tail -1

The JavaDoc is missing the required @since tag. Based on the git history, this file was created on 2026-01-23.

Fix Required: Add @since 2026-01-23 before the closing */ on line 39.

/**
 * Form bean for allergy search requests in RxSearchAllergy2Action.
 *
 * Note: JsonIgnoreProperties is required because the search form in ShowAllergies2.jsp
 * contains a nested AJAX-loaded form (AddReaction2.jsp) with additional fields like
 * 'reactionDescription', 'ID', 'name', etc. When JavaScript serializes all form fields
 * for the search request, these extra fields would cause Jackson parsing errors without
 * this annotation.
 * 
 * @since 2026-01-23
 */

Fix this →

---

2. PR Targets staging Instead of develop (CLAUDE.md Violation)

According to CLAUDE.md PR Requirements:

✅ Target develop branch (not main)

This PR currently targets staging, which is not mentioned in CLAUDE.md as a valid target branch. The documented workflow requires all PRs to target the develop branch.

Action Required: Retarget this PR to develop branch using GitHub's "Edit" button on the PR page.

---

3. Security: No Output Encoding for User-Controlled Data

File: src/main/webapp/oscarRx/ShowAllergies2.jsp:515-530

According to CLAUDE.md Critical Security Requirements:

Use Encode.forHtml(), Encode.forJavaScript() for ALL user inputs

While this PR doesn't modify the allergy display code, I noticed the existing code at lines 515-530 outputs allergy data without proper encoding. Since you're already working in this file, this should be addressed to prevent XSS vulnerabilities.

Example of unencoded output (existing code, not your changes):

<td><b>Description</b></td>
<td><b>Allergy Type</b></td>
<td><b>Reaction</b></td>

The allergy description, type, and reaction fields should use Encode.forHtml() when displaying user-entered data.

Note: This is an existing vulnerability, not introduced by your PR. However, since you're already working in this file, it would be good to address it. If you prefer to keep this PR focused on the JavaScript fixes, please create a follow-up issue to track this security concern.

Create follow-up issue →

---

💡 Minor Suggestions

1. Consider Centralizing JavaScript Utilities

Files: src/main/webapp/oscarRx/ShowAllergies2.jsp:107-119, src/main/webapp/oscarRx/SideLinksEditFavorites2.jsp:158-160

The new global functions toggleSection() and useFav2() are defined inline in individual JSPs. As noted by Sourcery AI, this creates duplication risk. Consider centralizing these in a shared JS asset (e.g., /share/javascript/Oscar.js or a new /oscarRx/rx-common.js).

Benefits:

• Easier to maintain and test
• Consistent behavior across pages
• Reduces code duplication

Current approach is acceptable for this PR since it fixes immediate bugs, but this would be a good refactoring opportunity.

---

2. toggleSection State Management

File: src/main/webapp/oscarRx/ShowAllergies2.jsp:111

The toggleSection logic relies on checking img.src.indexOf('expander') to determine state. This is fragile because:

• It depends on filename substrings
• Could break if image filenames change
• Not immediately obvious to future maintainers

Better approach (for future refactoring):

function toggleSection(typecode) {
    var img = document.getElementById(typecode + "_img");
    var content = document.getElementById(typecode + "_content");
    var isExpanded = content.style.display === 'block';
    
    img.src = isExpanded 
        ? '<%= request.getContextPath() %>/images/expander.png'
        : '<%= request.getContextPath() %>/images/collapser.png';
    content.style.display = isExpanded ? 'none' : 'block';
}

This checks the actual DOM state rather than inferring from image filenames. However, your current implementation is correct and matches existing patterns in the codebase.

---

🎯 Specific Code Review by File

✅ RxSearchAllergy2Form.java

• Good: Proper Jackson annotation usage
• Good: Excellent explanatory comment
• Issue: Missing @since tag (see Critical Issue Added DownloadInIterceptor import to the classes #1)

✅ SearchDrug3.jsp

• Excellent: Removed orphan brace that broke parsing
• No issues found

✅ ShowAllergies2.jsp

• Good: Global toggleSection() fixes AJAX-loaded content
• Good: Removed conflicting jQuery handler
• Good: Clear comments explaining the change
• Note: Pre-existing XSS vulnerability (see Critical Issue Added development-drugref.sql #3)

✅ SideLinksEditFavorites2.jsp

• Excellent: Proper encodeURIComponent() usage
• Good: Clear comment explaining purpose
• No issues found

✅ StaticScript2.jsp

• Excellent: Fixed malformed script tags
• Good: Added null check for window.prompt()
• No issues found

✅ StaticScript.jsp

• Good: Added null check for window.prompt()
• No issues found

✅ WriteScript.jsp

• Good: Added null check for window.prompt()
• No issues found

✅ SideLinksNoEditFavorites.jsp & SideLinksNoEditFavorites2.jsp

• Good: Fixed invalid self-closing script tags
• No issues found

✅ ChooseDrug.jsp

• Excellent: Defensive null check prevents NullPointerException
• Good: Clear comment explaining edge case
• No issues found

---

📋 Action Items Before Merge

1. REQUIRED: Add @since 2026-01-23 to RxSearchAllergy2Form.java JavaDoc
2. REQUIRED: Retarget PR from staging to develop branch
3. RECOMMENDED: Create follow-up issue for XSS vulnerability in ShowAllergies2.jsp (or fix in this PR)
4. OPTIONAL: Consider centralizing JavaScript utilities in future refactoring

---

Final Verdict

This is high-quality bug fix work with excellent documentation and testing. The JavaScript fixes are sound and address real runtime errors. Once the two critical CLAUDE.md compliance issues are addressed (missing @since tag and wrong target branch), this PR will be ready to merge.

The code quality is good, security practices are followed (proper URL encoding), and the changes are well-scoped. Great job on the thorough testing and clear commit messages! 👍

---

[LiamStanziani]

Those two compliance issue I don't think matter currently, but could be addressed if needed (especially targeting develop since develop is behind on changes and targeting it will flood the diff changes with everything in staging currently, on top of the changes in this branch)

[yingbull]

@coderabbitai create separate follow up issue tickets for the code recommendations as coverd in this.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@yingbull, I'll gather the code recommendations from this PR review and create separate follow-up issues for each one.

---

🏁 Script executed:

#!/bin/bash

# Get the review comments from PR `#1863`
gh pr view 1863 --repo openo-beta/Open-O --json reviews,comments --jq '.reviews[] | select(.author.login == "coderabbitai") | .body'

# Also get review comments on specific files
gh pr view 1863 --repo openo-beta/Open-O --json reviewThreads --jq '.reviewThreads[] | select(.comments[].author.login == "coderabbitai") | {path: .path, line: .line, comment: .comments[0].body}'

Length of output: 674

---

🏁 Script executed:

#!/bin/bash

# Get reviews and comments from the PR
gh pr view 1863 --repo openo-beta/Open-O --json reviews --jq '.reviews[] | select(.author.login == "coderabbitai") | {state: .state, body: .body}'

# Get all comments
gh pr view 1863 --repo openo-beta/Open-O --json comments --jq '.comments[] | select(.author.login == "coderabbitai") | {body: .body, createdAt: .createdAt}'

# Try to get review comments via API
gh api repos/openo-beta/Open-O/pulls/1863/comments --jq '.[] | select(.user.login == "coderabbitai") | {path: .path, line: .line, body: .body}'

Length of output: 1356

---

🏁 Script executed:

#!/bin/bash

# Check if there are comments from other bots (like cubic mentioned in PR description)
gh api repos/openo-beta/Open-O/pulls/1863/comments --jq '.[] | select(.user.login != "coderabbitai") | {author: .user.login, body: .body, path: .path}'

# Also get issue comments (not just review comments)
gh api repos/openo-beta/Open-O/issues/1863/comments --jq '.[] | {author: .user.login, body: .body}' | head -100

# Check if there are reviews from other bots
gh pr view 1863 --repo openo-beta/Open-O --json reviews --jq '.reviews[] | {author: .author.login, state: .state, body: .body}' | head -50

Length of output: 27380

---

@yingbull, I'll create separate follow-up issues for the code recommendations from the review. Let me gather the recommendations and create the issues.

---

🏁 Script executed:

#!/bin/bash

# Create Issue 1: Add `@since` tag to JavaDoc
gh issue create --repo openo-beta/Open-O \
  --title "Add `@since` tag to RxSearchAllergy2Form.java JavaDoc" \
  --body "## Description
As noted in PR `#1863`, the JavaDoc for \`RxSearchAllergy2Form.java\` is missing the required \`@since\` tag per CLAUDE.md documentation standards.

## Location
File: \`src/main/java/ca/openosp/openo/prescript/pageUtil/RxSearchAllergy2Form.java:39\`

## Required Change
Add \`@since 2026-01-23\` before the closing \`*/\` in the class JavaDoc comment.

## Reference
- PR: https://github.com/openo-beta/Open-O/pull/1863
- Identified by: Claude bot code review
- Requested by: `@yingbull`

## CLAUDE.md Reference
[Documentation Standards](https://github.com/openo-beta/Open-O/blob/e01674ac140eb038461937a433c9f9d910abff1e/CLAUDE.md#L217-L219) require all JavaDoc to include \`@since\` tags." \
  --assignee yingbull

# Create Issue 2: XSS vulnerability in ShowAllergies2.jsp
gh issue create --repo openo-beta/Open-O \
  --title "Security: Add OWASP encoding to allergy display in ShowAllergies2.jsp" \
  --body "## Description
Allergy data (description, type, reaction) is displayed without proper output encoding in \`ShowAllergies2.jsp\`, creating an XSS vulnerability when user-controlled data is rendered.

## Location
File: \`src/main/webapp/oscarRx/ShowAllergies2.jsp:515-530\`

## Required Change
Use \`Encode.forHtml()\` when displaying user-entered allergy data fields:
- Allergy description
- Allergy type
- Reaction information

## Security Risk
Per CLAUDE.md Critical Security Requirements, all user inputs must use \`Encode.forHtml()\` or \`Encode.forJavaScript()\` to prevent XSS attacks.

## Reference
- PR: https://github.com/openo-beta/Open-O/pull/1863
- Identified by: Claude bot code review
- Requested by: `@yingbull`
- CLAUDE.md: [Critical Security Requirements](https://github.com/openo-beta/Open-O/blob/e01674ac140eb038461937a433c9f9d910abff1e/CLAUDE.md#L56-L58)

## Note
This is a pre-existing vulnerability, not introduced by PR `#1863`." \
  --assignee yingbull \
  --label "security"

# Create Issue 3: Centralize JavaScript utilities
gh issue create --repo openo-beta/Open-O \
  --title "Refactor: Centralize oscarRx JavaScript utilities into shared asset" \
  --body "## Description
The \`toggleSection()\` and \`useFav2()\` functions are currently defined inline in individual JSP files, leading to code duplication and inconsistent behavior across pages.

## Current Locations
- \`toggleSection()\`: \`src/main/webapp/oscarRx/ShowAllergies2.jsp:107-119\`
- \`useFav2()\`: \`src/main/webapp/oscarRx/SideLinksEditFavorites2.jsp:158-160\`

## Recommendation
Move these utilities to a centralized JavaScript file such as:
- \`/share/javascript/Oscar.js\`, or
- A new \`/oscarRx/rx-common.js\`

## Benefits
- Easier to maintain and test
- Consistent behavior across all pages
- Reduces code duplication
- Single source of truth for shared functionality

## Reference
- PR: https://github.com/openo-beta/Open-O/pull/1863
- Identified by: Sourcery-ai and Claude bot reviews
- Requested by: `@yingbull`" \
  --assignee yingbull \
  --label "enhancement"

# Create Issue 4: Improve toggleSection state management
gh issue create --repo openo-beta/Open-O \
  --title "Refactor: Improve toggleSection state management with data attributes" \
  --body "## Description
The \`toggleSection()\` function currently determines expanded/collapsed state by checking \`img.src.indexOf('expander')\`, which is fragile and depends on filename substrings.

## Location
File: \`src/main/webapp/oscarRx/ShowAllergies2.jsp:111\`

## Current Implementation
\`\`\`javascript
if (img.src.indexOf('expander') !== -1) {
    img.src = contextPath + '/images/collapser.png';
    content.style.display = 'block';
} else {
    img.src = contextPath + '/images/expander.png';
    content.style.display = 'none';
}
\`\`\`

## Recommended Improvement
Use data attributes or CSS classes to track state instead of checking filenames:

\`\`\`javascript
function toggleSection(typecode) {
    var img = document.getElementById(typecode + '_img');
    var content = document.getElementById(typecode + '_content');
    var isExpanded = content.style.display === 'block';
    
    img.src = isExpanded 
        ? contextPath + '/images/expander.png'
        : contextPath + '/images/collapser.png';
    content.style.display = isExpanded ? 'none' : 'block';
}
\`\`\`

## Benefits
- More robust and maintainable
- Won't break if image filenames change
- Clearer intent for future developers
- Checks actual DOM state instead of inferring from filenames

## Reference
- PR: https://github.com/openo-beta/Open-O/pull/1863
- Identified by: Sourcery-ai and Claude bot reviews
- Requested by: `@yingbull`" \
  --assignee yingbull \
  --label "enhancement"

echo "All follow-up issues created successfully"

Length of output: 230

---

@yingbull, I've successfully created 4 follow-up issues for the code recommendations from PR #1863:

Created Issues:

1. Issue #1864 - Add @since tag to RxSearchAllergy2Form.java JavaDoc

   • Compliance issue with CLAUDE.md documentation standards

2. Issue #1865 - Security: Add OWASP encoding to allergy display in ShowAllergies2.jsp

   • Pre-existing XSS vulnerability that should be addressed
   • Note: Tried to add 'security' label but it doesn't exist in the repository

3. Issue #1866 - Refactor: Centralize oscarRx JavaScript utilities into shared asset

   • Move toggleSection() and useFav2() to a shared JavaScript file

4. Issue #1867 - Refactor: Improve toggleSection state management with data attributes

   • Make state checking more robust by using DOM state instead of filename checks

All issues have been assigned to you and include:

• Detailed descriptions with file locations
• References back to PR #1863
• Code examples where applicable
• Context from the review comments

---

🧠 Learnings used

Learnt from: CR
Repo: openo-beta/Open-O PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-22T21:43:18.910Z
Learning: Use `claude` mentions to trigger automated PR reviews, issue investigation, and feature implementation by Claude Code bot

[LiamStanziani]

Small additional updates for null checking and possible 404 error with sorting, will add to the PR description

[LiamStanziani]

Now "Exact" is flipped to be the old "Any" logic, (searches left to right) and "Any" is now flipped to be the "Exact" logic (searches anywhere), "Exact" is now the functionality of "Any" so it is set as the default checked value and is moved infront of "Any"

Image 1: default radio box checked when opening the medications page
Image 2: Searching for "METFORMIN" with the new "Exact" radio button selected (checked by default)

Image 3: Searching for "METFORMIN" with the new "Any" radio button selected

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

---

Review Summary:

• ✅ All JavaScript fixes properly address parsing errors and null safety
• ✅ Java changes correctly add content-type headers and JSON deserialization handling
• ✅ HTML/script tag fixes ensure HTML5 compliance
• ✅ Security patterns followed (SecurityInfoManager checks present in 2Action classes)
• ✅ No new bugs introduced

This PR effectively fixes multiple console errors and workflow issues in the prescription module.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 69299d5.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/main/webapp/oscarRx/SearchDrug3.jsp (1)

786-846: Add CSRF token to drugForm.
The POST form at Line 786 is missing the required CSRF hidden field.

🔒 Proposed fix

-                                <form action="${pageContext.request.contextPath}/oscarRx/searchDrug.do"  onsubmit="return checkEnterSendRx();" style="display: inline; margin-bottom:0;" id="drugForm" name="drugForm" method="post">
+                                <form action="${pageContext.request.contextPath}/oscarRx/searchDrug.do"  onsubmit="return checkEnterSendRx();" style="display: inline; margin-bottom:0;" id="drugForm" name="drugForm" method="post">
+                                    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

As per coding guidelines, include CSRF token in all HTML forms.

🤖 Fix all issues with AI agents

In `@src/main/java/ca/openosp/openo/prescript/pageUtil/RxSearchAllergy2Form.java`:
- Around line 31-40: The class JavaDoc for RxSearchAllergy2Form is missing the
required `@since` tag; update the class-level comment (above class
RxSearchAllergy2Form) to include an `@since` entry using the file’s original
introduction date from the git history (find the commit that added this file and
use that date), ensuring the tag is formatted like other public classes in the
codebase.

In `@src/main/webapp/oscarRx/SearchDrug3.jsp`:
- Around line 1799-1803: Replace the HTML-only <c:out value="${ctx}"/> inside
callAdditionWebService with the OWASP Java Encoder call for JS context so the
ctx is safely encoded for a JavaScript string (e.g. use <%=
org.owasp.encoder.Encode.forJavaScript(ctx) %>); update the JSP to import or
reference org.owasp.encoder.Encode if needed and keep the rest of the
callAdditionWebService function and its url handling unchanged.