diff --git a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
index 0fc2c819fb1d292d1819ad6a4229e341bdd7385f..ead9afa386a54f4137259d9642c238f76c3b3067 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
@@ -154,17 +154,17 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
"IssueInstant=\"" . $issueInstant . "\" " .
"ForceAuthn=\"false\" " .
"IsPassive=\"false\" " .
- "Destination=\"" . $destination . "\" " .
+ "Destination=\"" . htmlspecialchars($destination) . "\" " .
"ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" " .
- "AssertionConsumerServiceURL=\"" . $assertionConsumerServiceURL . "\">\n" .
+ "AssertionConsumerServiceURL=\"" . htmlspecialchars($assertionConsumerServiceURL) . "\">\n" .
"<saml:Issuer " .
"xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" .
- $spentityid .
+ htmlspecialchars($spentityid) .
"</saml:Issuer>\n" .
"<samlp:NameIDPolicy " .
"xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" " .
- "Format=\"" . $nameidformat. "\" " .
- "SPNameQualifier=\"" . $spNameQualifier . "\" " .
+ "Format=\"" . htmlspecialchars($nameidformat). "\" " .
+ "SPNameQualifier=\"" . htmlspecialchars($spNameQualifier) . "\" " .
"AllowCreate=\"true\" />\n" .
"<samlp:RequestedAuthnContext " .
"xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" " .
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 56984d9b7cf3fd9126118cce216aff0d183bf017..65ed360ebeab4364114c2fb8f60be02e7ae716e0 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -409,7 +409,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
ID="' . $id . '"
InResponseTo="' . htmlspecialchars($inresponseto) . '" Version="2.0"
IssueInstant="' . $issueInstant . '"
- Destination="' . $destination . '">
+ Destination="' . htmlspecialchars($destination) . '">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">' . htmlspecialchars($issuer) . '</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@ -423,7 +423,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="' . $assertionExpire . '"
InResponseTo="' . htmlspecialchars($inresponseto). '"
- Recipient="' . $destination . '"/>
+ Recipient="' . htmlspecialchars($destination) . '"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="' . $assertionExpire. '">
@@ -432,7 +432,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="' . $issueInstant . '"
- SessionIndex="' . $sessionindex . '">
+ SessionIndex="' . htmlspecialchars($sessionindex) . '">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
diff --git a/lib/SimpleSAML/XML/SAML20/LogoutRequest.php b/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
index 137ff0c985be3e527b7d2b6aa9576be5d7d00043..e1c90884963d3ee7e1c3880e370ede4c83fd9074 100644
--- a/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/LogoutRequest.php
@@ -141,22 +141,22 @@ class SimpleSAML_XML_SAML20_LogoutRequest {
"xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" " .
"ID=\"" . $id . "\" " .
"Version=\"2.0\" " .
- "Destination=\"" . $destination . "\" " .
+ "Destination=\"" . htmlspecialchars($destination) . "\" " .
"IssueInstant=\"" . $issueInstant . "\"> " .
"<saml:Issuer " .
"xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" .
- $issuer .
+ htmlspecialchars($issuer) .
"</saml:Issuer>" .
"<saml:NameID " .
"xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" " .
// "NameQualifier=\"" . $nameId["NameQualifier"] . "\" " .
// "SPNameQualifier=\"" . $nameId["SPNameQualifier"] . "\" " .
- "Format=\"" . $nameidformat. "\">" .
- $nameid .
+ "Format=\"" . htmlspecialchars($nameidformat) . "\">" .
+ htmlspecialchars($nameid) .
"</saml:NameID>" .
"<samlp:SessionIndex " .
"xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">" .
- $sessionindex .
+ htmlspecialchars($sessionindex) .
"</samlp:SessionIndex>" .
"</samlp:LogoutRequest>";
diff --git a/lib/SimpleSAML/XML/SAML20/LogoutResponse.php b/lib/SimpleSAML/XML/SAML20/LogoutResponse.php
index 5378c7a0a3281e33192bbb70f3241368ee9cc065..84fe044fcc767df8fb69509354126fc636607465 100644
--- a/lib/SimpleSAML/XML/SAML20/LogoutResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/LogoutResponse.php
@@ -113,14 +113,14 @@ class SimpleSAML_XML_SAML20_LogoutResponse {
$destination = $receivermd['SingleLogoutService'];
$samlResponse = '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-ID="_' . $id . '" Version="2.0" IssueInstant="' . $issueInstant . '" Destination="'. $destination. '" InResponseTo="' . htmlspecialchars($inresponseto) . '">
-<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">' . $issuer . '</saml:Issuer>
+ID="_' . $id . '" Version="2.0" IssueInstant="' . $issueInstant . '" Destination="'. htmlspecialchars($destination). '" InResponseTo="' . htmlspecialchars($inresponseto) . '">
+<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">' . htmlspecialchars($issuer) . '</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
<samlp:StatusMessage xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
-Successfully logged out from service ' . $issuer . '
+Successfully logged out from service ' . htmlspecialchars($issuer) . '
</samlp:StatusMessage>
</samlp:Status>
</samlp:LogoutResponse>';