From 08e6f7971f351ee616647b075dd918c1fd77ea5e Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 29 Jul 2010 10:42:09 +0000
Subject: [PATCH] oauth: Fix cross-site scripting.

Failure to escape the user id can be exploited by a malicious IdP
to run scripts in the domain of the oauth host. There is also a
failure to escape data in from the OAuth registry.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2443 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/oauth/templates/registry.list.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/oauth/templates/registry.list.php b/modules/oauth/templates/registry.list.php
index 1a11da862..0d11fd6ad 100644
--- a/modules/oauth/templates/registry.list.php
+++ b/modules/oauth/templates/registry.list.php
@@ -13,7 +13,7 @@ $this->includeAtTemplateBase('includes/header.php');
 
 echo('<h1>OAuth Client Registry</h1>');
 
-echo('<p>Here you can register new OAuth Clients. You are successfully logged in as ' . $this->data['userid'] . '</p>');
+echo('<p>Here you can register new OAuth Clients. You are successfully logged in as ' . htmlspecialchars($this->data['userid']) . '</p>');
 
 echo('<h2>Your clients</h2>');
 echo('<table class="metalist" style="width: 100%">');
@@ -22,8 +22,8 @@ foreach($this->data['entries']['mine'] AS $entryc ) {
 	$entry = $entryc['value'];
 	$i++; 
 	echo('<tr class="' . $rows[$i % 2] . '">
-		<td>' . $entry['name'] . '</td>
-		<td><tt>' . $entry['key'] . '</tt></td>
+		<td>' . htmlspecialchars($entry['name']) . '</td>
+		<td><tt>' . htmlspecialchars($entry['key']) . '</tt></td>
 		<td>
 			<a href="registry.edit.php?editkey=' . urlencode($entry['key']) . '">edit</a>
 			<a href="registry.php?delete=' . urlencode($entry['key']) . '">delete</a>
@@ -43,9 +43,9 @@ foreach($this->data['entries']['others'] AS $entryc ) {
 	$entry = $entryc['value'];
 	$i++; 
 	echo('<tr class="' . $rows[$i % 2] . '">
-		<td>' . $entry['name'] . '</td>
-		<td><tt>' . $entry['key'] . '</tt></td>
-		<td>' . (isset($entry['owner']) ? $entry['owner'] : 'No owner') . '
+		<td>' . htmlspecialchars($entry['name']) . '</td>
+		<td><tt>' . htmlspecialchars($entry['key']) . '</tt></td>
+		<td>' . (isset($entry['owner']) ? htmlspecialchars($entry['owner']) : 'No owner') . '
 		</td></tr>');
 }
 if ($i == 0) {
-- 
GitLab