Merge pull request #3 from skip-pay/FixMSOXSSVulnerability

Formulka · web-flow · commit 8ce21b5a9c3c · 2023-05-16T13:51:02.000+02:00
fix MSO XSS vulnerability
diff --git a/auth_token/contrib/common/default/views.py b/auth_token/contrib/common/default/views.py
@@ -1,3 +1,5 @@
+from urllib.parse import quote_plus
+
 from django.contrib.auth.views import LoginView, LogoutView
 from django.utils.decorators import method_decorator
 from django.urls import reverse, NoReverseMatch
@@ -40,7 +42,7 @@ def _get_sso_login_methods(self):
             return [
                 {
                     'name': 'microsoft',
-                    'url': f'{reverse("ms-sso-login")}?next={self.request.GET.get("next", "/")}',
+                    'url': f'{reverse("ms-sso-login")}?next={quote_plus(self.request.GET.get("next", "/"), safe="/")}',
                     'label': gettext('Continue with Microsoft account')
                 }
             ]

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+from urllib.parse import quote_plus`
	`2`	`+`
`1`	`3`	`from django.contrib.auth.views import LoginView, LogoutView`
`2`	`4`	`from django.utils.decorators import method_decorator`
`3`	`5`	`from django.urls import reverse, NoReverseMatch`
`@@ -40,7 +42,7 @@ def _get_sso_login_methods(self):`
`40`	`42`	`return [`
`41`	`43`	`{`
`42`	`44`	`'name': 'microsoft',`
`43`		`- 'url': f'{reverse("ms-sso-login")}?next={self.request.GET.get("next", "/")}',`
	`45`	`+ 'url': f'{reverse("ms-sso-login")}?next={quote_plus(self.request.GET.get("next", "/"), safe="/")}',`
`44`	`46`	`'label': gettext('Continue with Microsoft account')`
`45`	`47`	`}`
`46`	`48`	`]`