Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

Commit

Permalink
HtmlEncode iframe URLs in EndSessionCallbackResult #5184 (#5188)
Browse files Browse the repository at this point in the history
  • Loading branch information
brockallen authored Mar 18, 2021
1 parent 0757467 commit 997a6cd
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
using System;
using IdentityServer4.Extensions;
using IdentityServer4.Configuration;
using System.Text.Encodings.Web;

namespace IdentityServer4.Endpoints.Results
{
Expand Down Expand Up @@ -79,7 +80,7 @@ private string GetHtml()

if (_result.FrontChannelLogoutUrls != null && _result.FrontChannelLogoutUrls.Any())
{
var frameUrls = _result.FrontChannelLogoutUrls.Select(url => $"<iframe src='{url}'></iframe>");
var frameUrls = _result.FrontChannelLogoutUrls.Select(url => $"<iframe src='{HtmlEncoder.Default.Encode(url)}'></iframe>");
framesHtml = frameUrls.Aggregate((x, y) => x + y);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -379,8 +379,8 @@ public async Task valid_signout_callback_should_render_iframes_for_all_clients()

response = await _mockPipeline.BrowserClient.GetAsync(signoutFrameUrl);
var html = await response.Content.ReadAsStringAsync();
html.Should().Contain("https://client1/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server"));
html.Should().Contain("https://client2/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server"));
html.Should().Contain(HtmlEncoder.Default.Encode("https://client1/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server")));
html.Should().Contain(HtmlEncoder.Default.Encode("https://client2/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server")));
}

[Fact]
Expand Down

0 comments on commit 997a6cd

Please sign in to comment.