porchlight

lundberg/porchlight

Fork 0

Commit graph

Author	SHA1	Message	Date
Johan Lundberg	7c4dbf2cd9	fix(security): escape error text in OIDC error pages OIDC error responses interpolated parse-error/exception and error_description text straight into HTML. idpyoidc currently emits canned messages, but this is the same reflected-XSS class as the validation-error fix; relying on upstream not to echo input is fragile. Add a shared _error_page() helper that HTML-escapes the message and route all six dynamic error responses through it. Refs: porchlight-8iw Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 11:06:08 +02:00
Johan Lundberg	d8c891af89	feat: add OIDC discovery, JWKS, and authorization endpoints	2026-02-16 13:33:40 +01:00

Author

SHA1

Message

Date

Johan Lundberg

7c4dbf2cd9

fix(security): escape error text in OIDC error pages

OIDC error responses interpolated parse-error/exception and error_description
text straight into HTML. idpyoidc currently emits canned messages, but this is
the same reflected-XSS class as the validation-error fix; relying on upstream
not to echo input is fragile.

Add a shared _error_page() helper that HTML-escapes the message and route all
six dynamic error responses through it.

Refs: porchlight-8iw

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-04 11:06:08 +02:00

Johan Lundberg

d8c891af89

feat: add OIDC discovery, JWKS, and authorization endpoints

2026-02-16 13:33:40 +01:00

2 commits