googleapis · theacodes · May 9, 2017 · Apr 19, 2017
diff --git a/oauth2client/contrib/flask_util.py b/oauth2client/contrib/flask_util.py
@@ -176,6 +176,7 @@ def requires_calendar():
     from flask import request
     from flask import session
     from flask import url_for
+    import markupsafe
 except ImportError:  # pragma: NO COVER
     raise ImportError('The flask utilities require flask 0.9 or newer.')
 
@@ -388,6 +389,7 @@ def callback_view(self):
         if 'error' in request.args:
             reason = request.args.get(
                 'error_description', request.args.get('error', ''))
+            reason = markupsafe.escape(reason)
             return ('Authorization failed: {0}'.format(reason),
                     httplib.BAD_REQUEST)
 

diff --git a/tests/contrib/test_flask_util.py b/tests/contrib/test_flask_util.py
@@ -258,6 +258,18 @@ def test_callback_view_errors(self):
             self.assertEqual(response.status_code, httplib.BAD_REQUEST)
             self.assertIn('something', response.data.decode('utf-8'))
 
+        # Error supplied to callback with html
+        with self.app.test_client() as client:
+            with client.session_transaction() as session:
+                session['google_oauth2_csrf_token'] = 'tokenz'
+
+            response = client.get(
+                '/oauth2callback?state={}&error=<script>something<script>')
+            self.assertEqual(response.status_code, httplib.BAD_REQUEST)
+            self.assertIn(
+                '&lt;script&gt;something&lt;script&gt;',
+                response.data.decode('utf-8'))
+
         # CSRF mismatch
         with self.app.test_client() as client:
             with client.session_transaction() as session: