From 4d6c4d2cb2db868e689ce8ecbcb2f3889a7e4d7a Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 29 Jul 2010 10:41:03 +0000
Subject: [PATCH] InfoCard: Fix cross-site scripting.

If the InfoCard module is enabled, it can be used to perform cross-site
scripting attacks on the site where it is installed.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2435 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/InfoCard/templates/temp-getcardform.php | 10 +++++-----
 modules/InfoCard/templates/temp-login.php       |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/InfoCard/templates/temp-getcardform.php b/modules/InfoCard/templates/temp-getcardform.php
index ae00910f5..fecc40ff3 100644
--- a/modules/InfoCard/templates/temp-getcardform.php
+++ b/modules/InfoCard/templates/temp-getcardform.php
@@ -22,7 +22,7 @@
 		
 			if(strcmp($this->data['form'],"validate")==0){
 				echo '<h2>'.$this->t('getcardform_title').'</h2>';
-				echo '<form action = ?AuthState='.$this->data['stateparams']['AuthState']." method='post'>";
+				echo '<form action = ?AuthState='.htmlspecialchars($this->data['stateparams']['AuthState'])." method='post'>";
 					echo '<table border="0">';
 					echo "<tr><td>".$this->t('form_username').": </td><td><input type='text' name='username' value='usuario' /></td></tr>";
 					echo "<tr><td>".$this->t('form_password').": </td><td><input type='password' name='password' value='clave' /></td></tr>";
@@ -34,7 +34,7 @@
 			} else if(strcmp($this->data['form'],"selfIssued")==0){ //ASK FOR A SELF-ISSUED CARD
 				echo '<h2>'.$this->t('getcardform_self_title').'</h2>';
 				echo '<p>'.$this->t('getcardform_self_text').'</p>';
-				echo	'<form name="ctl00" id="ctl00" method="post" action="?AuthState='.$this->data['stateparams']['AuthState'].'">';
+				echo	'<form name="ctl00" id="ctl00" method="post" action="?AuthState='.htmlspecialchars($this->data['stateparams']['AuthState']).'">';
 					echo	'<OBJECT type="application/x-informationCard" name="xmlToken">';
 						echo '<PARAM Name="issuer" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" />';
 						if ($this->data['InfoCard']['issuerPolicy']!='') echo '<PARAM Name="issuerPolicy" Value="'.$this->data['InfoCard']['issuerPolicy']."\">\n";
@@ -43,15 +43,15 @@
 						if ($this->data['InfoCard']['privacyVersion']!='')echo '<PARAM Name="privacyVersion" Value="'.$this->data['InfoCard']['privacyVersion']."\">\n";
 						echo '<PARAM Name="requiredClaims" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier">';
 					echo '</OBJECT>';
-					echo "<input type='hidden' name='username' value='".$this->data['username']."'/>";
-					echo "<input type='hidden' name='password' value='".$this->data['password']."'/>";
+					echo "<input type='hidden' name='username' value='".htmlspecialchars($this->data['username'])."'/>";
+					echo "<input type='hidden' name='password' value='".htmlspecialchars($this->data['password'])."'/>";
 					echo "<input type='hidden' name='form' value='".$this->data['form']."'/>";
 					echo "<input type='image' src='resources/infocard_self_114x80.png' style='cursor:pointer' />";
 				echo '</form>';
 			} else {
 				echo '<h2>'.$this->t('getcardform_finished_title').'</h2>';
 				echo '<p>'.$this->t('getcardform_finished_text').'</p>';
-				echo '<p> <a href="login-infocard.php?AuthState='.$this->data['stateparams']['AuthState'].'">LOGIN</a></p>';
+				echo '<p> <a href="login-infocard.php?AuthState='.htmlspecialchars($this->data['stateparams']['AuthState']).'">LOGIN</a></p>';
 			}
 		}
   ?>
diff --git a/modules/InfoCard/templates/temp-login.php b/modules/InfoCard/templates/temp-login.php
index 8417aa51b..346986331 100644
--- a/modules/InfoCard/templates/temp-login.php
+++ b/modules/InfoCard/templates/temp-login.php
@@ -19,7 +19,7 @@
 	
 	<p><?php echo $this->t('user_IC_text'); ?></p>
 	
-	<form name="ctl00" id="ctl00" method="post" action="?AuthState=<?php echo $this->data['stateparams']['AuthState']?>">
+	<form name="ctl00" id="ctl00" method="post" action="?AuthState=<?php echo htmlspecialchars($this->data['stateparams']['AuthState'])?>">
 
 <!--		<ic:informationCard xmlns:ic="<?php echo $this->data['InfoCard']['schema'] ?>" name="xmlToken" 
 			issuer="<?php echo $this->data['InfoCard']['issuer']; ?>"
-- 
GitLab