fix(oxauth): prevent rxss #1923 (#1924)

common/src/main/java/org/gluu/oxauth/util/RedirectUri.java

@@ -6,6 +6,12 @@
 
 package org.gluu.oxauth.util;
 
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang.StringUtils;
+import org.gluu.oxauth.model.common.ResponseMode;
+import org.gluu.oxauth.model.common.ResponseType;
+import org.gluu.oxauth.model.util.Util;
+
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
@@ -14,12 +20,6 @@
 import java.util.Map;
 import java.util.StringTokenizer;
 
-import org.apache.commons.lang.StringEscapeUtils;
-import org.apache.commons.lang.StringUtils;
-import org.gluu.oxauth.model.common.ResponseMode;
-import org.gluu.oxauth.model.common.ResponseType;
-import org.gluu.oxauth.model.util.Util;
-
 /**
  * @author Javier Rojas Blum
  * @version October 7, 2019
@@ -150,11 +150,12 @@ public String toString() {
                 sb.append("<html>");
                 sb.append("<head><title>oxAuth - Submit This Form</title></head>");
                 sb.append("<body onload=\"javascript:document.forms[0].submit()\">");
-                //sb.append("<body>");
+
                 sb.append("<form method=\"post\" action=\"").append(baseRedirectUri).append("\">");
                 for (Map.Entry<String, String> entry : responseParameters.entrySet()) {
+                    String entryKey = StringEscapeUtils.escapeHtml(entry.getKey());
                     String entryValue = StringEscapeUtils.escapeHtml(entry.getValue());
-                    sb.append("<input type=\"hidden\" name=\"").append(entry.getKey()).append("\" value=\"").append(entryValue).append("\"/>");
+                    sb.append("<input type=\"hidden\" name=\"").append(entryKey).append("\" value=\"").append(entryValue).append("\"/>");
                 }
                 sb.append("</form>");
                 sb.append("</body>");

common/src/test/java/org/gluu/oxauth/util/RedirectUriTest.java

@@ -0,0 +1,25 @@
+package org.gluu.oxauth.util;
+
+import org.gluu.oxauth.model.common.ResponseMode;
+import org.gluu.oxauth.model.common.ResponseType;
+import org.testng.annotations.Test;
+
+import java.util.Collections;
+
+import static org.testng.AssertJUnit.assertFalse;
+
+/**
+ * @author Yuriy Z
+ */
+public class RedirectUriTest {
+
+    @Test
+    public void html_forFormPostWithRxssAttack_shouldEscapeInjectedScript() {
+        RedirectUri redirectUri = new RedirectUri("https://yuriyz-kind-honeybee.gluu.info/identity/authcode.htm", Collections.singletonList(ResponseType.CODE), ResponseMode.FORM_POST);
+        redirectUri.parseQueryString("https://yuriyz-kind-honeybee.gluu.info/oxauth/restv1/authorize?client_id=1001.9a0d0cdb-8fe5-4239-a459-e7cf9cb9fe34&redirect_uri=https%3A%2F%2Fyuriyz-kind-honeybee.gluu.info%2Fidentity%2Fauthcode.htm&response_mode=form_post&state=http://aaa&foo\"><script>alert(location.href)</script>");
+        final String html = redirectUri.toString();
+
+        assertFalse(html.contains("<script>"));
+        assertFalse(html.contains("</script>"));
+    }
+}

common/src/test/resources/testng.xml

@@ -6,4 +6,9 @@
             <class name="org.gluu.oxauth.claims.AudienceTest"/>
         </classes>
     </test>
+    <test name="RedirectUri Tests" enabled="true">
+        <classes>
+            <class name="org.gluu.oxauth.util.RedirectUriTest"/>
+        </classes>
+    </test>
 </suite>