diff --git a/templates/default/en/admin-metadatalist.php b/templates/default/en/admin-metadatalist.php
index 9dec31ca13ef7ed8f90f280183602f77f7d73598..3c2043deaa115ae535bf16f3255a49f715cbcd88 100644
--- a/templates/default/en/admin-metadatalist.php
+++ b/templates/default/en/admin-metadatalist.php
@@ -26,22 +26,22 @@
//print_r($entity);
- echo '<h4>' . $name . '</h4>';
+ echo '<h4>' . htmlspecialchars($name) . '</h4>';
if (isset($entity['optional.found']['description'])) {
- echo '<p>' . $entity['optional.found']['description'] . '</p>';
+ echo '<p>' . htmlspecialchars($entity['optional.found']['description']) . '</p>';
}
echo '<p>Required fields</p>';
echo '<table style="width: 100%; border: 1px solid #eee"><tr><th>Key</th><th>Value</th></tr>';
foreach ($entity['required.found'] AS $key => $value) {
- echo '<tr><td>' . $key . '</td><td>' . $value . '</td></tr>';
+ echo '<tr><td>' . htmlspecialchars($key) . '</td><td>' . htmlspecialchars($value) . '</td></tr>';
}
echo '</table>';
if (count($entity['required.notfound']) > 0) {
echo '<p>The following required fields was not found:<ul>';
foreach ($entity['required.notfound'] AS $key) {
- echo '<li>' . $key . '</li>';
+ echo '<li>' . htmlspecialchars($key) . '</li>';
}
echo '</ul>';
}
@@ -50,7 +50,7 @@
echo '<p>Optional fields</p>';
echo '<table><tr><th>Key</th><th>Value</th></tr>';
foreach ($entity['optional.found'] AS $key => $value) {
- echo '<tr><td>' . $key . '</td><td>' . $value . '</td></tr>';
+ echo '<tr><td>' . htmlspecialchars($key) . '</td><td>' . htmlspecialchars($value) . '</td></tr>';
}
echo '</table>';
}
@@ -58,7 +58,7 @@
if (count($entity['optional.notfound']) > 0) {
echo '<p>The following optional fields was not found:<ul>';
foreach ($entity['optional.notfound'] AS $key) {
- echo '<li>' . $key . '</li>';
+ echo '<li>' . htmlspecialchars($key) . '</li>';
}
echo '</ul>';
}
@@ -66,7 +66,7 @@
if (count($entity['leftovers']) > 0) {
echo '<p>The following fields was not reckognized:<ul>';
foreach ($entity['leftovers'] AS $key => $value) {
- echo '<li>' . $key . '</li>';
+ echo '<li>' . htmlspecialchars($key) . '</li>';
}
echo '</ul>';
}
diff --git a/templates/default/en/consent.php b/templates/default/en/consent.php
index cf375d53f7b28ea2bbae73e9367f2ee1a0f07786..ec71aaa567e0cf0a54cf21902671d5ce43e5c691 100644
--- a/templates/default/en/consent.php
+++ b/templates/default/en/consent.php
@@ -7,9 +7,9 @@
<div id="content">
- <p>You are about to login to the service <strong><?php echo $data['spentityid']; ?></strong>. In the login proccess, the identity provider will send attributes containing information about your identity to this service. Do you accept this?</p>
+ <p>You are about to login to the service <strong><?php echo htmlspecialchars($data['spentityid']); ?></strong>. In the login proccess, the identity provider will send attributes containing information about your identity to this service. Do you accept this?</p>
- <p><a href="<?php echo $data['consenturl']; ?>"><strong>Yes</strong>, I accept that attributes are sent to this service</a></p>
+ <p><a href="<?php echo htmlspecialchars($data['consenturl']); ?>"><strong>Yes</strong>, I accept that attributes are sent to this service</a></p>
<p style="font-size: x-small">[ <a href="">Show attributes that are sent</a> ]</p>
<table style="font-size: x-small">
@@ -19,13 +19,13 @@
$attributes = $data['attributes'];
foreach ($attributes AS $name => $value) {
if (sizeof($value) > 1) {
- echo '<tr><td>' . $name . '</td><td><ul>';
+ echo '<tr><td>' . htmlspecialchars($name) . '</td><td><ul>';
foreach ($value AS $v) {
- echo '<li>' . $v . '</li>';
+ echo '<li>' . htmlspecialchars($v) . '</li>';
}
echo '</ul></td></tr>';
} else {
- echo '<tr><td>' . $name . '</td><td>' . $value[0] . '</td></tr>';
+ echo '<tr><td>' . htmlspecialchars($name) . '</td><td>' . htmlspecialchars($value[0]) . '</td></tr>';
}
}
diff --git a/templates/default/en/frontpage.php b/templates/default/en/frontpage.php
index c428c9f227ab9d7bc6b56e59198cd072ff75a9b6..ae757d2ea2b9b4c4e9cc4eebdcff4756c431f032 100644
--- a/templates/default/en/frontpage.php
+++ b/templates/default/en/frontpage.php
@@ -16,7 +16,7 @@
<?php
foreach ($data['links'] AS $link) {
- echo '<li><a href="' . $link['href'] . '">' . $link['text'] . '</a></li>';
+ echo '<li><a href="' . htmlspecialchars($link['href']) . '">' . htmlspecialchars($link['text']) . '</a></li>';
}
?>
<!-- li><a href="saml2/sp/metadata.php">Look at your SAML 2.0 SP metadata</a> - you can send this metadata document to your IdP.</a></li>
diff --git a/templates/default/en/login-ldapmulti.php b/templates/default/en/login-ldapmulti.php
index 426ff0b2b80d8b7a9a8c85417037fd7cb06002db..9f3d4cdfcca3b353a1f93be594971b62dfe669bc 100644
--- a/templates/default/en/login-ldapmulti.php
+++ b/templates/default/en/login-ldapmulti.php
@@ -12,7 +12,7 @@
<img src="/<?php echo $data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " />
<h2>What you entered was not accepted!</h2>
- <p><?php echo $data['error']; ?> </p>
+ <p><?php echo htmlspecialchars($data['error']); ?> </p>
</div>
<?php } ?>
@@ -30,13 +30,13 @@
<td style="padding: .3em;">Username</td>
<td><input type="text" tabindex="1" name="username"
<?php if (isset($data['username'])) {
- echo 'value="' . $data['username'] . '"';
+ echo 'value="' . htmlspecialchars($data['username']) . '"';
} ?> /></td>
<td style="padding: .4em;" rowspan="3">
<input type="submit" tabindex="3" value="Login" />
- <input type="hidden" name="RelayState" value="<?php echo $data['relaystate']; ?>" />
+ <input type="hidden" name="RelayState" value="<?php echo htmlspecialchars($data['relaystate']); ?>" />
</td>
</tr>
@@ -48,7 +48,7 @@
foreach ($data['ldapconfig'] AS $key => $entry) {
echo '<option ' .
($key == $data['org'] ? 'selected="selected" ' : '')
- . 'value="' . $key . '">' . $entry['description'] . '</option>';
+ . 'value="' . htmlspecialchars($key) . '">' . htmlspecialchars($entry['description']) . '</option>';
}
?>
diff --git a/templates/default/en/login.php b/templates/default/en/login.php
index 852383482c716aa70276aaf3e3dd9e0f036f6faf..a4389e772a5e523a649db6f8c44243fecfe7a435 100644
--- a/templates/default/en/login.php
+++ b/templates/default/en/login.php
@@ -12,7 +12,7 @@
<img src="/<?php echo $data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " />
<h2>What you entered was not accepted!</h2>
- <p><?php echo $data['error']; ?> </p>
+ <p><?php echo htmlspecialchars($data['error']); ?> </p>
</div>
<?php } ?>
diff --git a/templates/default/en/metadata.php b/templates/default/en/metadata.php
index 3dd5a8e2c36f6b83df1fd0c3a62629d8b34e565e..e237f27f3b9297a26eacc76c616d232bbbcd0c0a 100644
--- a/templates/default/en/metadata.php
+++ b/templates/default/en/metadata.php
@@ -12,8 +12,8 @@
<p>Here is SAML 2.0 metadata that simpleSAMLphp has generated for you. You may send this SAML 2.0 Metadata document to trusted partners to setup a trusted federation.</p>
<?php if (isset($data['metaurl'])) { ?>
- <p>You can <a href="<?php echo $data['metaurl']; ?>">get the metadata xml on a dedicated URL</a>:<br />
- <input type="text" style="width: 90%" value="<?php echo $data['metaurl']; ?>" /></p>
+ <p>You can <a href="<?php echo htmlspecialchars($data['metaurl']); ?>">get the metadata xml on a dedicated URL</a>:<br />
+ <input type="text" style="width: 90%" value="<?php echo htmlspecialchars($data['metaurl']); ?>" /></p>
<?php } ?>
<h2>Metadata</h2>
@@ -42,7 +42,7 @@
</p>
<input type="hidden" name="metadata" value="<?php echo urlencode(base64_encode($data['metadata'])); ?>" />
- <input type="hidden" name="defaultidp" value="<?php echo $data['defaultidp']; ?>" />
+ <input type="hidden" name="defaultidp" value="<?php echo htmlspecialchars($data['defaultidp']); ?>" />
<input type="submit" name="send" value="Send my metadata to Feide" />
</form>
diff --git a/templates/default/en/openid-about.php b/templates/default/en/openid-about.php
index f72fc2b88094ae6ef4dad7c3f5018a68b99d42fe..52e97dfc9ea65ab4f193083749519e8d3d78a747 100644
--- a/templates/default/en/openid-about.php
+++ b/templates/default/en/openid-about.php
@@ -21,8 +21,8 @@
Insert the following markup into the <code><head></code> of the HTML
document at that URL:
</p>
-<pre><link rel="openid.server" href="<?php echo $data['openidserver']; ?>" />
-<link rel="openid.delegation" href="<?php echo $data['openiddelegation']; ?>" />
+<pre><link rel="openid.server" href="<?php echo htmlspecialchars($data['openidserver']); ?>" />
+<link rel="openid.delegation" href="<?php echo htmlspecialchars($data['openiddelegation']); ?>" />
</pre>
@@ -30,9 +30,9 @@
<p><?php
if (isset($data['userid'])) {
- echo 'You are now logged in as ' . $data['userid'];
+ echo 'You are now logged in as ' . htmlspecialchars($data['userid']);
} else {
- echo '<a href="' . $data['initssourl'] . '">Login</a>';
+ echo '<a href="' . htmlspecialchars($data['initssourl']) . '">Login</a>';
}
?>
diff --git a/templates/default/en/openid-sites.php b/templates/default/en/openid-sites.php
index 024d9e7a8c551cca8cada8f59fef8a68fa2f63c9..1040218b4f93b1f80e98a21d637abe8b6797ae81 100644
--- a/templates/default/en/openid-sites.php
+++ b/templates/default/en/openid-sites.php
@@ -40,7 +40,7 @@
'Untrusted Sites' => $untrusted_sites) as
$name => $sites) {
if ($sites) {
- echo '<tr><th colspan="2">'. $name . '</th></tr>';
+ echo '<tr><th colspan="2">'. htmlspecialchars($name) . '</th></tr>';
foreach ($sites as $site) {
$siteid = 'site' . $i;
echo '<tr>
diff --git a/templates/default/en/openid-trust.php b/templates/default/en/openid-trust.php
index 2e1266f8d14103471f174cca2db5073efd858163..3b05e3a1028ea10bbeea66e06538fb5e7df0a688 100644
--- a/templates/default/en/openid-trust.php
+++ b/templates/default/en/openid-trust.php
@@ -14,7 +14,7 @@
<a href="/<?php echo $data['baseurlpath']; ?>/openid/provider/server.php/about">About simpleSAMLphp OpenID</a> ]</p>
<div class="form">
- <p>Do you wish to confirm your identity URL (<code><?php echo $data['openidurl']; ?></code>)
+ <p>Do you wish to confirm your identity URL (<code><?php echo htmlspecialchars($data['openidurl']); ?></code>)
with <code><?php echo $data['siteurl']; ?></code>?</p>
<form method="post" action="<?php echo $data['trusturl']; ?>">
<input type="checkbox" name="remember" value="on" id="remember"><label
diff --git a/templates/default/en/post-debug.php b/templates/default/en/post-debug.php
index a9a20e2ef5416b9c577042013c35e12a7ccca3b2..041422474fae5c9decef13fd8802750510d406b2 100644
--- a/templates/default/en/post-debug.php
+++ b/templates/default/en/post-debug.php
@@ -13,9 +13,9 @@
<p>You are about to send a SAML response back to the service. Hit the send response button to continue.</p>
- <form method="post" action="<?php echo $data['destination']; ?>">
- <input type="hidden" name="SAMLResponse" value="<?php echo $data['response']; ?>" />
- <input type="hidden" name="<?php echo $data['RelayStateName']; ?>" value="<?php echo $data['RelayState']; ?>">
+ <form method="post" action="<?php echo htmlspecialchars($data['destination']); ?>">
+ <input type="hidden" name="SAMLResponse" value="<?php echo htmlspecialchars($data['response']); ?>" />
+ <input type="hidden" name="<?php echo htmlspecialchars($data['RelayStateName']); ?>" value="<?php echo htmlspecialchars($data['RelayState']); ?>">
<input type="submit" value="Submit the response to the service" />
</form>
diff --git a/templates/default/en/selectidp-dropdown.php b/templates/default/en/selectidp-dropdown.php
index 9aba6e2b70756aa7d094c0fe5b29a5cf92a67b9e..c34af28f7cb538de5145c7117e3390b51317fc43 100644
--- a/templates/default/en/selectidp-dropdown.php
+++ b/templates/default/en/selectidp-dropdown.php
@@ -12,17 +12,17 @@
<p>Please select the identity provider where you want to authenticate:</p>
<form method="get" action="<?php echo $data['urlpattern']; ?>">
- <input type="hidden" name="entityID" value="<?php echo $data['entityID']; ?>" />
- <input type="hidden" name="return" value="<?php echo $data['return']; ?>" />
- <input type="hidden" name="returnIDParam" value="<?php echo $data['returnIDParam']; ?>" />
+ <input type="hidden" name="entityID" value="<?php echo htmlspecialchars($data['entityID']); ?>" />
+ <input type="hidden" name="return" value="<?php echo htmlspecialchars($data['return']); ?>" />
+ <input type="hidden" name="returnIDParam" value="<?php echo htmlspecialchars($data['returnIDParam']); ?>" />
<select name="idpentityid">
<?php
foreach ($data['idplist'] AS $idpentry) {
- echo '<option value="'.$idpentry['entityid'].'"';
+ echo '<option value="'.htmlspecialchars($idpentry['entityid']).'"';
if ($idpentry['entityid'] == $data['preferedidp']) echo ' selected="selected"';
- echo '>'.$idpentry['name'].'</option>';
+ echo '>'.htmlspecialchars($idpentry['name']).'</option>';
}
?>
diff --git a/templates/default/en/selectidp-links.php b/templates/default/en/selectidp-links.php
index e75bf6664cbd09c89ed6fedc7cfc67e775531782..a8e2b5bcd4354ae44143995d619792c956ee4161 100644
--- a/templates/default/en/selectidp-links.php
+++ b/templates/default/en/selectidp-links.php
@@ -16,9 +16,9 @@
foreach ($data['idplist'] AS $idpentry) {
- echo '<h3>' . $idpentry['name'] . '</h3>';
- echo '<p>' . $idpentry['description'] . '<br />';
- echo '[ <a href="' . $data['urlpattern'] . $idpentry['entityid'] . '">Select this IdP</a>]</p>';
+ echo '<h3>' . htmlspecialchars($idpentry['name']) . '</h3>';
+ echo '<p>' . htmlspecialchars($idpentry['description']) . '<br />';
+ echo '[ <a href="' . $data['urlpattern'] . htmlspecialchars($idpentry['entityid']) . '">Select this IdP</a>]</p>';
}
diff --git a/www/openid/provider/server.php b/www/openid/provider/server.php
index 9d4f7a7531b451b7e90a34262f559e7ee066ba16..f9677fdbbfacf8c17afebe7b2c88c474f27dc695 100644
--- a/www/openid/provider/server.php
+++ b/www/openid/provider/server.php
@@ -593,8 +593,8 @@ function doAuth($info, $trusted=null, $fail_cancels=false)
$t = new SimpleSAML_XHTML_Template($config, 'error.php');
$t->data['header'] = 'OpenID identity mismatch';
- $t->data['message'] = 'Your identity ' . $user . ' does not match the requested identity from the
- OpenID consumer, which was: ' . $req_url;
+ $t->data['message'] = 'Your identity ' . htmlspecialchars($user) . ' does not match the requested identity from the
+ OpenID consumer, which was: ' . htmlspecialchars($req_url);
$t->data['e'] = new Exception('OpenID Error');
$t->show();