From 336dc32f5f3c17b4d47bb8928ba28aec44602acf Mon Sep 17 00:00:00 2001 From: Michiel Van Gendt Date: Tue, 21 Dec 2021 19:57:53 +0100 Subject: [PATCH] Include message body in 302 responses --- src/auth0-session/handlers/callback.ts | 3 ++- src/auth0-session/handlers/login.ts | 3 ++- src/auth0-session/handlers/logout.ts | 7 ++++--- src/utils/errors.ts | 2 +- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/auth0-session/handlers/callback.ts b/src/auth0-session/handlers/callback.ts index d5a7b6f94..f50399004 100644 --- a/src/auth0-session/handlers/callback.ts +++ b/src/auth0-session/handlers/callback.ts @@ -6,6 +6,7 @@ import { ClientFactory } from '../client'; import TransientStore from '../transient-store'; import { decodeState } from '../hooks/get-login-state'; import { SessionCache } from '../session-cache'; +import { htmlSafe } from '../../utils/errors'; function getRedirectUri(config: Config): string { return urlJoin(config.baseURL, config.routes.callback); @@ -69,6 +70,6 @@ export default function callbackHandlerFactory( res.writeHead(302, { Location: openidState.returnTo || config.baseURL }); - res.end(); + res.end(htmlSafe(openidState.returnTo || config.baseURL)); }; } diff --git a/src/auth0-session/handlers/login.ts b/src/auth0-session/handlers/login.ts index 2f25c1fb0..6d78c10e2 100644 --- a/src/auth0-session/handlers/login.ts +++ b/src/auth0-session/handlers/login.ts @@ -6,6 +6,7 @@ import TransientStore, { StoreOptions } from '../transient-store'; import { encodeState } from '../hooks/get-login-state'; import { ClientFactory } from '../client'; import createDebug from '../utils/debug'; +import { htmlSafe } from '../../utils/errors'; const debug = createDebug('handlers'); @@ -92,6 +93,6 @@ export default function loginHandlerFactory( res.writeHead(302, { Location: authorizationUrl }); - res.end(); + res.end(htmlSafe(authorizationUrl)); }; } diff --git a/src/auth0-session/handlers/logout.ts b/src/auth0-session/handlers/logout.ts index c684a9bfa..5e25691eb 100644 --- a/src/auth0-session/handlers/logout.ts +++ b/src/auth0-session/handlers/logout.ts @@ -5,6 +5,7 @@ import createDebug from '../utils/debug'; import { Config, LogoutOptions } from '../config'; import { ClientFactory } from '../client'; import { SessionCache } from '../session-cache'; +import { htmlSafe } from '../../utils/errors'; const debug = createDebug('logout'); @@ -28,7 +29,7 @@ export default function logoutHandlerFactory( res.writeHead(302, { Location: returnURL }); - res.end(); + res.end(htmlSafe(returnURL)); return; } @@ -40,7 +41,7 @@ export default function logoutHandlerFactory( res.writeHead(302, { Location: returnURL }); - res.end(); + res.end(htmlSafe(returnURL)); return; } @@ -54,6 +55,6 @@ export default function logoutHandlerFactory( res.writeHead(302, { Location: returnURL }); - res.end(); + res.end(htmlSafe(returnURL)); }; } diff --git a/src/utils/errors.ts b/src/utils/errors.ts index 5665ed609..870658a80 100644 --- a/src/utils/errors.ts +++ b/src/utils/errors.ts @@ -26,7 +26,7 @@ export class AccessTokenError extends Error { // eslint-disable-next-line max-len // Basic escaping for putting untrusted data directly into the HTML body, per: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content -function htmlSafe(input: string): string { +export function htmlSafe(input: string): string { return input .replace(/&/g, '&') .replace(/