1.6.0rc4: apply html encoding to error display

Author: Hans Zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+10/6/2014
+- apply html encoding to error display
+- bump version number to 1.6.0rc4
+
 10/2/2014
 - avoid crash when downloading metadata from OIDCProviderMetadataURL fails
 - set OIDCProviderMetadataURL retrieval interval to 24 hours

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[1.6.0rc3],[[email protected]])
+AC_INIT([mod_auth_openidc],[1.6.0rc4],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/mod_auth_openidc.h

@@ -368,6 +368,7 @@ apr_byte_t oidc_util_spaced_string_equals(apr_pool_t *pool, const char *a, const
 apr_byte_t oidc_util_spaced_string_contains(apr_pool_t *pool, const char *response_type, const char *match);
 apr_byte_t oidc_json_object_get_string(apr_pool_t *pool, json_t *json, const char *name, char **value, const char *default_value);
 apr_byte_t oidc_json_object_get_int(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
+char *oidc_util_html_escape(apr_pool_t *pool, const char *input);
 
 // oidc_crypto.c
 unsigned char *oidc_crypto_aes_encrypt(request_rec *r, oidc_cfg *cfg, unsigned char *plaintext, int *len);

src/proto.c

@@ -72,14 +72,15 @@ int oidc_proto_authorization_request_post_preserve(request_rec *r,
 		return HTTP_INTERNAL_SERVER_ERROR;
 	}
 
-	// TODO: html encode names/values
 	const apr_array_header_t *arr = apr_table_elts(params);
 	const apr_table_entry_t *elts = (const apr_table_entry_t*) arr->elts;
 	int i;
 	char *json = "";
 	for (i = 0; i < arr->nelts; i++) {
-		json = apr_psprintf(r->pool, "%s'%s': '%s'%s", json, elts[i].key,
-				elts[i].val, i < arr->nelts - 1 ? "," : "");
+		json = apr_psprintf(r->pool, "%s'%s': '%s'%s", json,
+				oidc_util_html_escape(r->pool, elts[i].key),
+				oidc_util_html_escape(r->pool, elts[i].val),
+				i < arr->nelts - 1 ? "," : "");
 	}
 	json = apr_psprintf(r->pool, "{ %s }", json);
 

src/util.c

@@ -266,6 +266,36 @@ char *oidc_util_unescape_string(const request_rec *r, const char *str) {
 	return rv;
 }
 
+/*
+ * HTML escape a string
+ */
+char *oidc_util_html_escape(apr_pool_t *pool, const char *s) {
+	const char chars[6] = { '&', '\'', '\"', '>', '<', '\0' };
+	const char * const replace[] =
+	{ "&amp;", "&apos;", "&quot;", "&gt;", "&lt;", };
+	unsigned int i, j = 0, k, n = 0, len = strlen(chars);
+	int m = 0;
+	char *r = apr_pcalloc(pool, strlen(s) * 6);
+	for (i = 0; i < strlen(s); i++) {
+		for (n = 0; n < len; n++) {
+			if (s[i] == chars[n]) {
+				m = strlen(replace[n]);
+				for (k = 0; k < m; k++)
+					r[j + k] = replace[n][k];
+				j += m;
+				break;
+			}
+		}
+		if (n == len) {
+			r[j] = s[i];
+			j++;
+		}
+	}
+	r[j] = '\0';
+	return apr_pstrdup(pool, r);
+}
+
+
 /*
  * get the URL scheme that is currently being accessed
  */
@@ -1036,17 +1066,20 @@ apr_byte_t oidc_util_issuer_match(const char *a, const char *b) {
  */
 int oidc_util_html_send_error(request_rec *r, const char *error,
 		const char *description, int status_code) {
-	char *msg = "<p>the OpenID Connect Provider returned an error:</p><p>";
+	char *msg =
+			"<html><body><p>the OpenID Connect Provider returned an error:</p>";
 
 	if (error != NULL) {
 		msg = apr_psprintf(r->pool, "%s<p>Error: <pre>%s</pre></p>", msg,
-				error);
+				oidc_util_html_escape(r->pool, error));
 	}
 	if (description != NULL) {
 		msg = apr_psprintf(r->pool, "%s<p>Description: <pre>%s</pre></p>", msg,
-				description);
+				oidc_util_html_escape(r->pool, description));
 	}
 
+	msg = apr_psprintf(r->pool, "%s</body></html>", msg);
+
 	return oidc_util_html_send(r, msg, status_code);
 }