lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): escape error text in OIDC error pages

Browse source 
OIDC error responses interpolated parse-error/exception and error_description
text straight into HTML. idpyoidc currently emits canned messages, but this is
the same reflected-XSS class as the validation-error fix; relying on upstream
not to echo input is fragile.

Add a shared _error_page() helper that HTML-escapes the message and route all
six dynamic error responses through it.

Refs: porchlight-8iw

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-04 11:06:08 +02:00
parent 71a7c23bdd
commit 7c4dbf2cd9
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
2 changed files with 26 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/test_oidc/test_authorization.py
View file

@ -2,6 +2,16 @@ import secrets
from httpx import AsyncClient
from porchlight.oidc.endpoints import _error_page
def test_error_page_escapes_html() -> None:
# OIDC error pages must not interpolate request-derived text as raw HTML.
resp = _error_page("<script>alert(1)</script>")
body = resp.body.decode()
assert "<script>" not in body
assert "&lt;script&gt;alert(1)&lt;/script&gt;" in body
def _register_test_client(
client: AsyncClient,