fix(facebook): Use json_script to encode settings

pennersr · Jul 12, 2024 · 8fead34 · 8fead34
1 parent 11fa4e8
commit 8fead34
Show file tree

Hide file tree

Showing 9 changed files with 19 additions and 13 deletions.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,3 +1,13 @@
+0.63.6 (2024-07-12)
+*******************
+
+Security notice
+---------------
+
+- When the Facebook provider was configured to use the ``js_sdk`` method the
+  login page could become vulnerable to an XSS attack.
+
+
 0.63.5 (2024-07-11)
 *******************
 

diff --git a/allauth/__init__.py b/allauth/__init__.py
@@ -8,7 +8,7 @@
 
 """
 
-VERSION = (0, 63, 5, "final", 0)
+VERSION = (0, 63, 6, "final", 0)
 
 __title__ = "django-allauth"
 __version_info__ = VERSION

diff --git a/allauth/socialaccount/providers/facebook/provider.py b/allauth/socialaccount/providers/facebook/provider.py
@@ -1,4 +1,3 @@
-import json
 import requests
 import string
 from urllib.parse import quote
@@ -9,7 +8,6 @@
 from django.urls import reverse
 from django.utils.crypto import get_random_string
 from django.utils.html import escapejs
-from django.utils.safestring import mark_safe
 
 from allauth.account.models import EmailAddress
 from allauth.socialaccount.adapter import get_adapter
@@ -176,7 +174,7 @@ def abs_uri(name):
             "errorUrl": abs_uri("socialaccount_login_error"),
             "csrfToken": get_token(request),
         }
-        ctx = {"fb_data": mark_safe(json.dumps(fb_data))}
+        ctx = {"fb_data": fb_data}
         return render_to_string("facebook/fbconnect.html", ctx, request=request)
 
     def get_nonce(self, request, or_create=False, pop=False):

diff --git a/allauth/socialaccount/providers/facebook/static/facebook/js/fbconnect.js b/allauth/socialaccount/providers/facebook/static/facebook/js/fbconnect.js
@@ -29,7 +29,7 @@
   }
 
   var allauth = window.allauth = window.allauth || {}
-  var fbSettings = JSON.parse(document.getElementById('allauth-facebook-settings').innerHTML)
+  const fbSettings = JSON.parse(document.getElementById('allauth-facebook-settings').textContent)
   var fbInitialized = false
 
   allauth.facebook = {

diff --git a/allauth/socialaccount/providers/facebook/templates/facebook/fbconnect.html b/allauth/socialaccount/providers/facebook/templates/facebook/fbconnect.html
@@ -1,4 +1,4 @@
 {% load static %}
 <div id="fb-root"></div>
-<script id="allauth-facebook-settings" type="application/json">{{ fb_data }}</script>
+{{ fb_data|json_script:"allauth-facebook-settings" }}
 <script type="text/javascript" src="{% static 'facebook/js/fbconnect.js' %}"></script>
diff --git a/allauth/socialaccount/providers/facebook/tests.py b/allauth/socialaccount/providers/facebook/tests.py
@@ -1,5 +1,3 @@
-import json
-
 from django.contrib.auth import get_user_model
 from django.test.client import RequestFactory
 from django.test.utils import override_settings
@@ -130,7 +128,7 @@ def test_login_by_token(self):
     )
     def test_login_by_token_reauthenticate(self):
         resp = self.client.get(reverse("account_login"))
-        nonce = json.loads(resp.context["fb_data"])["loginOptions"]["auth_nonce"]
+        nonce = resp.context["fb_data"]["loginOptions"]["auth_nonce"]
         with mocked_response(
             {"access_token": "app_token"},
             {

diff --git a/docs/conf.py b/docs/conf.py
@@ -53,9 +53,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = "0.63.5"
+version = "0.63.6"
 # The full version, including alpha/beta/rc tags.
-release = "0.63.5"
+release = "0.63.6"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/examples/react-spa/backend/requirements.txt b/examples/react-spa/backend/requirements.txt
@@ -1,2 +1,2 @@
-django-allauth[mfa,socialaccount]>=0.63.5
+django-allauth[mfa,socialaccount]>=0.63.6
 qrcode >= 7.0.0
diff --git a/examples/regular-django/requirements.txt b/examples/regular-django/requirements.txt
@@ -1 +1 @@
-django-allauth[mfa,saml,socialaccount]>=0.63.5
+django-allauth[mfa,saml,socialaccount]>=0.63.6
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		django-allauth[mfa,saml,socialaccount]>=0.63.5
		django-allauth[mfa,saml,socialaccount]>=0.63.6