Escape error reason for oauth2 callback in django_util (#724)

2 files changed, 11 insertions, 0 deletions

diff --git a/oauth2client/contrib/django_util/views.py b/oauth2client/contrib/django_util/views.py
index 009b544..1835208 100644
--- a/oauth2client/contrib/django_util/views.py
+++ b/oauth2client/contrib/django_util/views.py
@@ -28,6 +28,7 @@ from django import shortcuts
 from django.conf import settings
 from django.core import urlresolvers
 from django.shortcuts import redirect
+from django.utils import html
 import jsonpickle
 from six.moves.urllib import parse
 
@@ -109,6 +110,7 @@ def oauth2_callback(request):
     if 'error' in request.GET:
         reason = request.GET.get(
             'error_description', request.GET.get('error', ''))
+        reason = html.escape(reason)
         return http.HttpResponseBadRequest(
             'Authorization failed {0}'.format(reason))
 
diff --git a/tests/contrib/django_util/test_views.py b/tests/contrib/django_util/test_views.py
index dc06661..0b3fe30 100644
--- a/tests/contrib/django_util/test_views.py
+++ b/tests/contrib/django_util/test_views.py
@@ -249,6 +249,15 @@ class Oauth2CallbackTest(tests_django_util.TestWithDjangoEnvironment):
         self.assertIsInstance(response, http.HttpResponseBadRequest)
         self.assertIn(b'Authorization failed', response.content)
 
+    def test_error_escapes_html(self):
+        request = self.factory.get('oauth2/oauth2callback', data={
+            'error': '<script>bad</script>',
+        })
+        response = views.oauth2_callback(request)
+        self.assertIsInstance(response, http.HttpResponseBadRequest)
+        self.assertNotIn(b'<script>', response.content)
+        self.assertIn(b'&lt;script&gt;', response.content)
+
     def test_no_session(self):
         request = self.factory.get('oauth2/oauth2callback', data={
             'code': 123,