From 3796a81e7e3f0ccdf2160f33d1dbf2eaf96e5384 Mon Sep 17 00:00:00 2001 From: Hans Zandbelt <hans.zandbelt@surfnet.nl> Date: Mon, 24 Aug 2009 13:12:07 +0000 Subject: [PATCH] more empty attribute value checks and html-escaping of values git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1709 44740490-163a-0410-bde0-09ae8108e29a --- modules/adfs/www/idp/prp.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/modules/adfs/www/idp/prp.php b/modules/adfs/www/idp/prp.php index 51159a814..c75811308 100644 --- a/modules/adfs/www/idp/prp.php +++ b/modules/adfs/www/idp/prp.php @@ -43,20 +43,24 @@ function ADFS_GenerateResponse($issuer, $target, $nameid, $attributes) { </saml:Conditions> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="' . $issueInstant . '"> <saml:Subject> - <saml:NameIdentifier Format="' . $nameidFormat . '">' . $nameid . '</saml:NameIdentifier> + <saml:NameIdentifier Format="' . $nameidFormat . '">' . htmlspecialchars($nameid) . '</saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Subject> - <saml:NameIdentifier Format="' . $nameidFormat . '">' . $nameid . '</saml:NameIdentifier> + <saml:NameIdentifier Format="' . $nameidFormat . '">' . htmlspecialchars($nameid) . '</saml:NameIdentifier> </saml:Subject>'; foreach ($attributes as $name => $values) { if ((!is_array($values)) || (count($values) == 0)) continue; - $result .= '<saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="' . $name .'">'; + $hasValue = FALSE; + $r = '<saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="' . htmlspecialchars($name) .'">'; foreach ($values as $value) { - $result .= '<saml:AttributeValue>' . $value . '</saml:AttributeValue>'; + if (isset($value) or ($value !== '')) continue; + $r .= '<saml:AttributeValue>' . htmlspecialchars($value) . '</saml:AttributeValue>'; + $hasValue = TRUE; } - $result .= '</saml:Attribute>'; + $r .= '</saml:Attribute>'; + if ($hasValue) $result .= $r; } $result .= ' </saml:AttributeStatement> -- GitLab