diff options
author | Jon Wayne Parrott <jonwayne@google.com> | 2017-07-31 14:41:47 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-31 14:41:47 -0700 |
commit | 1c56925cbc83b9dd8a5112a60e62e0aa73a33b5f (patch) | |
tree | a57ee9423b030486b60c12f30b13ef0ed1ed2c05 | |
parent | d94570eb39d6901695153adbaf4c5dbccda80471 (diff) | |
download | oauth2client-1c56925cbc83b9dd8a5112a60e62e0aa73a33b5f.tar.gz |
Escape error reason for oauth2 callback in django_util (#724)
-rw-r--r-- | oauth2client/contrib/django_util/views.py | 2 | ||||
-rw-r--r-- | tests/contrib/django_util/test_views.py | 9 |
2 files changed, 11 insertions, 0 deletions
diff --git a/oauth2client/contrib/django_util/views.py b/oauth2client/contrib/django_util/views.py index 009b544..1835208 100644 --- a/oauth2client/contrib/django_util/views.py +++ b/oauth2client/contrib/django_util/views.py @@ -28,6 +28,7 @@ from django import shortcuts from django.conf import settings from django.core import urlresolvers from django.shortcuts import redirect +from django.utils import html import jsonpickle from six.moves.urllib import parse @@ -109,6 +110,7 @@ def oauth2_callback(request): if 'error' in request.GET: reason = request.GET.get( 'error_description', request.GET.get('error', '')) + reason = html.escape(reason) return http.HttpResponseBadRequest( 'Authorization failed {0}'.format(reason)) diff --git a/tests/contrib/django_util/test_views.py b/tests/contrib/django_util/test_views.py index dc06661..0b3fe30 100644 --- a/tests/contrib/django_util/test_views.py +++ b/tests/contrib/django_util/test_views.py @@ -249,6 +249,15 @@ class Oauth2CallbackTest(tests_django_util.TestWithDjangoEnvironment): self.assertIsInstance(response, http.HttpResponseBadRequest) self.assertIn(b'Authorization failed', response.content) + def test_error_escapes_html(self): + request = self.factory.get('oauth2/oauth2callback', data={ + 'error': '<script>bad</script>', + }) + response = views.oauth2_callback(request) + self.assertIsInstance(response, http.HttpResponseBadRequest) + self.assertNotIn(b'<script>', response.content) + self.assertIn(b'<script>', response.content) + def test_no_session(self): request = self.factory.get('oauth2/oauth2callback', data={ 'code': 123, |