Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single quotes in JSON string cause error #37

Open
kryops opened this issue Mar 29, 2023 · 3 comments
Open

Single quotes in JSON string cause error #37

kryops opened this issue Mar 29, 2023 · 3 comments

Comments

@kryops
Copy link

kryops commented Mar 29, 2023

Hi there,

If the JSON from the OAuth provider contains single quotes, it causes an error.

Example (with misconfigured Azure AD):

{
    "error": "invalid_client",
    "error_description": "AADSTSXXXX: The application 'MyApplication' asked for scope 'myScope' that doesn't exist on the resource 'xxxx-xxxx-xxxx'. Contact the app vendor.\r\nTrace ID: xxxx-xxxx-xxxx\r\nCorrelation ID: xxxx-xxxx-xxxx\r\nTimestamp: 2023-03-29 06:30:49Z"
}

In the Chrome/Safari dev tools it just shows up as something like Uncaught SyntaxError: Unexpected identifier VM296:1

The cause seems to be that the JSON string is just pasted into the generated JavaScript code without escaping single quotes, which would result in invalid code like this:

window.dispatchEvent(new MessageEvent('message', { data: 'oauth::{"foo":"some 'quoted' content"}' })

It affects both Android and iOS:

Thanks for looking into it!
@dpogue
Copy link
Member

dpogue commented Apr 4, 2023

Thanks for raising this! It seems like it should be a fairly simple fix just escaping single quotes in the message before concatenating the strings.

I was hoping there would be a good way to reproduce this with tests, but the testing situation here is still not quite what I'd like it to be 😞

@kryops
Copy link
Author

kryops commented Apr 4, 2023

I found a suspicious workaround in our code that looks like backslashes should probably be escaped as well. They do not cause errors like single quotes do, but we currently have to escape newlines and tabs in our message handler code because they prevent the message from being parsed as JSON:

const jsonString = message.replace(/\n/g, '\\n').replace(/\r/g, '\\r').replace(/\t/g, '\\t');
const json = JSON.parse(jsonString);

@dpogue
Copy link
Member

dpogue commented Apr 4, 2023

I wonder if a simple solution is to use backtick strings instead of single-quote strings... there's a small chance that breaks on really old webviews, but I'm not sure Cordova still works on anything that old.

But maybe that doesn't fix the newlines and other special characters?

dpogue added a commit to dpogue/cordova-plugin-oauth that referenced this issue Oct 23, 2024
@dpogue @DarrellWu
@erkenberg @kryops
Cancel detection support & other bugfixes
f201464 
Closes AyogoHealth#20.
Closes AyogoHealth#31.
Closes AyogoHealth#33.
Closes AyogoHealth#37.

Co-Authored-By: Darrell Wu <[email protected]>
Co-Authored-By: Stefan Erkenberg <[email protected]>
Co-Authored-By: Michael Manzinger <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dpogue @kryops