From 794cd30f343fd81750281f96835f7a89c63965f6 Mon Sep 17 00:00:00 2001 From: Thomas Date: Mon, 31 Aug 2020 09:55:36 +0200 Subject: [PATCH 1/2] Very basic XSS prevention --- authn/openid.index.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/authn/openid.index.js b/authn/openid.index.js index 898c272..8954e75 100644 --- a/authn/openid.index.js +++ b/authn/openid.index.js @@ -294,9 +294,9 @@ function unauthorized(error, error_description, error_uri, callback) { `; - page = page.replace(/%error%/g, error); - page = page.replace(/%error_description%/g, error_description); - page = page.replace(/%error_uri%/g, error_uri); + page = page.replace(/%error%/g, encodeURI(error)); + page = page.replace(/%error_description%/g, encodeURI(error_description)); + page = page.replace(/%error_uri%/g, encodeURI(error_uri)); // Unauthorized access attempt. Reset token and nonce cookies const response = { From c1ab88d3cc9a1049704941240c1dc42e80bcbcd5 Mon Sep 17 00:00:00 2001 From: Thomas Date: Fri, 18 Sep 2020 11:44:04 +0200 Subject: [PATCH 2/2] Parse spaces from URI All spaces are now displayed as `%20` due to the XSS change. So we parse them back to spaces. --- authn/openid.index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/authn/openid.index.js b/authn/openid.index.js index 8954e75..0b3d0a6 100644 --- a/authn/openid.index.js +++ b/authn/openid.index.js @@ -294,8 +294,8 @@ function unauthorized(error, error_description, error_uri, callback) { `; - page = page.replace(/%error%/g, encodeURI(error)); - page = page.replace(/%error_description%/g, encodeURI(error_description)); + page = page.replace(/%error%/g, encodeURI(error).replace(/%20/g,'+')); + page = page.replace(/%error_description%/g, encodeURI(error_description).replace(/%20/g,'+')); page = page.replace(/%error_uri%/g, encodeURI(error_uri)); // Unauthorized access attempt. Reset token and nonce cookies