sanitize site as well, just in case

go-pkgz · Jun 3, 2022 · 435445a · 435445a
1 parent 13685c8
commit 435445a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/provider/verify.go b/provider/verify.go
@@ -150,7 +150,7 @@ func (e VerifyHandler) sendConfirmation(w http.ResponseWriter, r *http.Request)
 		},
 		SessionOnly: r.URL.Query().Get("session") != "" && r.URL.Query().Get("session") != "0",
 		StandardClaims: jwt.StandardClaims{
-			Audience:  r.URL.Query().Get("site"),
+			Audience:  e.sanitize(r.URL.Query().Get("site")),
 			ExpiresAt: time.Now().Add(30 * time.Minute).Unix(),
 			NotBefore: time.Now().Add(-1 * time.Minute).Unix(),
 			Issuer:    e.Issuer,