Add HTML/JS escaping #615

Closed
meder opened this Issue Jun 12, 2012 · 1 comment

Comments

Projects
None yet
2 participants

meder commented Jun 12, 2012

code in question: https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L437

both calls to r.write() should JS and HTML escape the 'url' parameter to avoid XSS.

def redirect(uri)
  r = Rack::Response.new

  if options[:iframe]
    r.write("<script type='text/javascript' charset='utf-8'>top.location.href = '#{uri}';</script>")
  else
    r.write("Redirecting to #{uri}...")
    r.redirect(uri)
  end

  r.finish
end
Owner

tmilewski commented Sep 6, 2013

The redirect URI is set by your application and not an external source. Therefore, this isn't really an issue.

Thanks though!

@tmilewski tmilewski closed this Sep 6, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment