Prosoft Git

keycloak-developers

Merge pull request #927 from pedroigor/KEYCLOAK-986 [KEYCLOAK-986]

1/23/2015 12:12:01 PM
Stian Thorgersen

Stian Thorgersen

Commit: 71b36ce

Tree: 23a6b57

Parents: 31de011
edecda8

Changes

core/src/main/java/org/keycloak/util/HtmlUtils.java 45(+45 -0)

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java 4(+3 -1)

Details

core/src/main/java/org/keycloak/util/HtmlUtils.java 45(+45 -0) 

diff --git a/core/src/main/java/org/keycloak/util/HtmlUtils.java b/core/src/main/java/org/keycloak/util/HtmlUtils.java
new file mode 100644
index 0000000..7da97b7
--- /dev/null
+++ b/core/src/main/java/org/keycloak/util/HtmlUtils.java
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.util;
+
+/**
+ * @author pedroigor
+ */
+public class HtmlUtils {
+
+    /**
+     * <p>Escapes the value for a HTML element attribute.</p>
+     *
+     * @param value
+     * @return
+     */
+    public static String escapeAttribute(String value) {
+        StringBuilder escaped = new StringBuilder();
+
+        for (int i = 0; i < value.length(); i++) {
+            char chr = value.charAt(i);
+
+            if (chr != '\'' && chr != '"' && chr != '<' && chr != '>' && chr != '/') {
+                escaped.append(chr);
+            }
+        }
+
+        return escaped.toString();
+    }
+
+}

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java 4(+3 -1) 

diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java
index dfefa05..84cf7ee 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java
@@ -30,6 +30,7 @@ import java.security.PublicKey;
 import java.security.Signature;
 import java.security.cert.X509Certificate;
 
+import static org.keycloak.util.HtmlUtils.escapeAttribute;
 import static org.picketlink.common.util.StringUtil.isNotNull;
 
 /**
@@ -37,6 +38,7 @@ import static org.picketlink.common.util.StringUtil.isNotNull;
  * @version $Revision: 1 $
  */
 public class SAML2BindingBuilder<T extends SAML2BindingBuilder> {
+
     protected KeyPair signingKeyPair;
     protected X509Certificate signingCertificate;
     protected boolean sign;
@@ -323,7 +325,7 @@ public class SAML2BindingBuilder<T extends SAML2BindingBuilder> {
         builder.append("<INPUT TYPE=\"HIDDEN\" NAME=\"" + key + "\"" + " VALUE=\"" + samlResponse + "\"/>");
 
         if (isNotNull(relayState)) {
-            builder.append("<INPUT TYPE=\"HIDDEN\" NAME=\"RelayState\" " + "VALUE=\"" + relayState + "\"/>");
+            builder.append("<INPUT TYPE=\"HIDDEN\" NAME=\"RelayState\" " + "VALUE=\"" + escapeAttribute(relayState) + "\"/>");
         }
 
         builder.append("<NOSCRIPT>");

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github