DefaultLoginPageGeneratingFilter escapes OAuth2 ClientRegistrations
Fixes gh-5394
This commit is contained in:
parent
b3ca598679
commit
48ef7c966d
|
@ -22,6 +22,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
|
||||||
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
|
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.web.filter.GenericFilterBean;
|
import org.springframework.web.filter.GenericFilterBean;
|
||||||
|
import org.springframework.web.util.HtmlUtils;
|
||||||
|
|
||||||
import javax.servlet.FilterChain;
|
import javax.servlet.FilterChain;
|
||||||
import javax.servlet.ServletException;
|
import javax.servlet.ServletException;
|
||||||
|
@ -286,7 +287,7 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
|
||||||
for (Map.Entry<String, String> clientAuthenticationUrlToClientName : oauth2AuthenticationUrlToClientName.entrySet()) {
|
for (Map.Entry<String, String> clientAuthenticationUrlToClientName : oauth2AuthenticationUrlToClientName.entrySet()) {
|
||||||
sb.append(" <tr><td>");
|
sb.append(" <tr><td>");
|
||||||
sb.append("<a href=\"").append(request.getContextPath()).append(clientAuthenticationUrlToClientName.getKey()).append("\">");
|
sb.append("<a href=\"").append(request.getContextPath()).append(clientAuthenticationUrlToClientName.getKey()).append("\">");
|
||||||
sb.append(clientAuthenticationUrlToClientName.getValue());
|
sb.append(HtmlUtils.htmlEscape(clientAuthenticationUrlToClientName.getValue(), "UTF-8"));
|
||||||
sb.append("</a>");
|
sb.append("</a>");
|
||||||
sb.append("</td></tr>\n");
|
sb.append("</td></tr>\n");
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,6 +15,16 @@
|
||||||
*/
|
*/
|
||||||
package org.springframework.security.web.authentication;
|
package org.springframework.security.web.authentication;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
import static org.mockito.Mockito.mock;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.Locale;
|
||||||
|
|
||||||
|
import javax.servlet.FilterChain;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.springframework.context.support.MessageSourceAccessor;
|
import org.springframework.context.support.MessageSourceAccessor;
|
||||||
import org.springframework.mock.web.MockHttpServletRequest;
|
import org.springframework.mock.web.MockHttpServletRequest;
|
||||||
|
@ -26,15 +36,6 @@ import org.springframework.security.core.SpringSecurityMessageSource;
|
||||||
import org.springframework.security.web.WebAttributes;
|
import org.springframework.security.web.WebAttributes;
|
||||||
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
|
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
|
||||||
|
|
||||||
import javax.servlet.FilterChain;
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
|
||||||
import javax.servlet.http.HttpServletResponse;
|
|
||||||
import java.util.Collections;
|
|
||||||
import java.util.Locale;
|
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
|
||||||
import static org.mockito.Mockito.mock;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @author Luke Taylor
|
* @author Luke Taylor
|
||||||
|
@ -187,4 +188,21 @@ public class DefaultLoginPageGeneratingFilterTests {
|
||||||
|
|
||||||
filter.doFilter(request, new MockHttpServletResponse(), chain);
|
filter.doFilter(request, new MockHttpServletResponse(), chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// gh-5394
|
||||||
|
@Test
|
||||||
|
public void generatesForOAuth2LoginAndEscapesClientName() throws Exception {
|
||||||
|
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter();
|
||||||
|
filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
|
||||||
|
filter.setOauth2LoginEnabled(true);
|
||||||
|
|
||||||
|
String clientName = "Google < > \" \' &";
|
||||||
|
filter.setOauth2AuthenticationUrlToClientName(
|
||||||
|
Collections.singletonMap("/oauth2/authorization/google", clientName));
|
||||||
|
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
filter.doFilter(new MockHttpServletRequest("GET", "/login"), response, chain);
|
||||||
|
|
||||||
|
assertThat(response.getContentAsString()).contains("<a href=\"/oauth2/authorization/google\">Google < > " ' &</a>");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue