New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix XSS issues in default views #970

Merged
merged 3 commits into from May 25, 2017
Jump to file or symbol
Failed to load files and symbols.
+13 −3
Diff settings

Always

Just for now

@@ -21,7 +21,7 @@
</span>
<% if Doorkeeper.configuration.native_redirect_uri %>
<span class="help-block">
<%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: "<code>#{ Doorkeeper.configuration.native_redirect_uri }</code>") %>
<%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code) { Doorkeeper.configuration.native_redirect_uri }) %>
</span>
<% end %>
</div>
@@ -4,7 +4,7 @@
<main role="main">
<p class="h4">
<%= raw t('.prompt', client_name: "<strong class=\"text-info\">#{ @pre_auth.client.name }</strong>") %>
<%= raw t('.prompt', client_name: content_tag(:strong, class: 'text-info') { @pre_auth.client.name }) %>
</p>
<% if @pre_auth.scopes.count > 0 %>
@@ -1,9 +1,10 @@
require 'spec_helper_integration'
feature 'Authorization Code Flow Errors' do
let(:client_params) { {} }
background do
config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
client_exists
client_exists client_params
create_resource_owner
sign_in
end
@@ -12,6 +13,15 @@
access_grant_should_not_exist
end
context "with a client trying to xss resource owner" do
let(:client_name) { "<div id='xss'>XSS</div>" }
let(:client_params) { { name: client_name } }
scenario "resource owner visit authorization endpoint" do
visit authorization_endpoint_url(client: @client)
expect(page).not_to have_css("#xss")
end
end
context 'when access was denied' do
scenario 'redirects with error' do
visit authorization_endpoint_url(client: @client)
ProTip! Use n and p to navigate between commits in a pull request.