Commit b8399c9

committed

Fix XSS in the idp url parameter

1 parent b835031 commit b8399c9Copy full SHA for b8399c9

File tree

-3

lines changed

-3

lines changed

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -308,8 +308,8 @@ def test_unknown_idp(self):`
`308`	`308`	`metadata_file="remote_metadata_three_idps.xml",`
`309`	`309`	`)`
`310`	`310`
`311`		`- response = self.client.get(reverse("saml2_login") + "?idp=https://unknown.org")`
`312`		`- self.assertEqual(response.status_code, 403)`
	`311`	`+ response = self.client.get(reverse("saml2_login") + "?idp=<b>https://unknown.org</b>")`
	`312`	`+ self.assertContains(response, "<b>https://unknown.org</b>", status_code=403)`
`313`	`313`
`314`	`314`	`def test_login_authn_context(self):`
`315`	`315`	`sp_kwargs = {`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@`
`30`	`30`	`from django.template import TemplateDoesNotExist`
`31`	`31`	`from django.urls import reverse`
`32`	`32`	`from django.utils.decorators import method_decorator`
	`33`	`+from django.utils.html import escape`
`33`	`34`	`from django.utils.module_loading import import_string`
`34`	`35`	`from django.utils.translation import gettext_lazy as _`
`35`	`36`	`from django.views.decorators.csrf import csrf_exempt`
`@@ -152,7 +153,7 @@ def get_next_path(self, request: HttpRequest) -> str:`
`152`	`153`	`return next_path`
`153`	`154`
`154`	`155`	`def unknown_idp(self, request, idp):`
`155`		`- msg = f"Error: IdP EntityID {idp} was not found in metadata"`
	`156`	`+ msg = f"Error: IdP EntityID {escape(idp)} was not found in metadata"`
`156`	`157`	`logger.error(msg)`
`157`	`158`	`return HttpResponse(msg.format("Please contact technical support."), status=403)`
`158`	`159`

Comments

(0)