From c7c8e7789fec0d53a8804b5ddeda98b27f6088ff Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 29 Jul 2010 10:40:55 +0000
Subject: [PATCH] templates/status: Fix cross-site scripting.

If simpleSAMLphp is configured with a attribute hook that creates
attribute values containing associative arrays, and is displaying
attributes from an untrusted IdP, it can lead to cross-site scripting.

(Note that the feature allowing for attribute values with associative
arrays is believed to be unused, and will be removed in a future
release.)

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2434 44740490-163a-0410-bde0-09ae8108e29a
---
 templates/status.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/templates/status.php b/templates/status.php
index 72d6b2a54..9c93364b1 100644
--- a/templates/status.php
+++ b/templates/status.php
@@ -28,7 +28,11 @@ $attributes = $this->data['attributes'];
 
 function present_list($attr) {
 	if (is_array($attr) && count($attr) > 1) {
-		$str = '<ul><li>' . join('</li><li>', $attr) . '</li></ul>';
+		$str = '<ul>';
+		foreach ($attr as $value) {
+			$str .= '<li>' . htmlspecialchars($attr) . '</li>';
+		}
+		$str .= '</ul>';
 		return $str;
 	} else {
 		return htmlspecialchars($attr[0]);
@@ -73,7 +77,7 @@ function present_attributes($t, $attributes, $nameParent) {
 				$str .= '<tr class="' . $alternate[($i++ % 2)] . '"><td class="attrname">' . htmlspecialchars($name) . '</td><td class="attrvalue"><ul>';
 				foreach ($value AS $listitem) {
 					if ($nameraw === 'jpegPhoto') {
-						$str .= '<li><img src="data:image/jpeg;base64,' . $listitem . '" /></li>';
+						$str .= '<li><img src="data:image/jpeg;base64,' . htmlspecialchars($listitem) . '" /></li>';
 					} else {
 						$str .= '<li>' . present_assoc($listitem) . '</li>';
 					}
-- 
GitLab