From 37c70e232b2d9965e5dbddac7d4dd3a78014d9cb Mon Sep 17 00:00:00 2001 From: Flavian Missi Date: Mon, 27 Nov 2023 17:14:56 +0100 Subject: [PATCH] apps/internal/local: html escape error desc query string --- apps/internal/local/server.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/internal/local/server.go b/apps/internal/local/server.go index 04236ff3..fda5d7dd 100644 --- a/apps/internal/local/server.go +++ b/apps/internal/local/server.go @@ -7,6 +7,7 @@ package local import ( "context" "fmt" + "html" "net" "net/http" "strconv" @@ -141,7 +142,7 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) { headerErr := q.Get("error") if headerErr != "" { - desc := q.Get("error_description") + desc := html.EscapeString(q.Get("error_description")) // Note: It is a little weird we handle some errors by not going to the failPage. If they all should, // change this to s.error() and make s.error() write the failPage instead of an error code. _, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc)))