fix(facebook): Use json_script to encode settings

pennersr · pennersr · commit 8fead343c1d3 · 2024-07-12T22:44:45.000+02:00
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,3 +1,13 @@
+0.63.6 (2024-07-12)
+*******************
+
+Security notice
+---------------
+
+- When the Facebook provider was configured to use the ``js_sdk`` method the
+  login page could become vulnerable to an XSS attack.
+
+
 0.63.5 (2024-07-11)
 *******************
 
diff --git a/allauth/__init__.py b/allauth/__init__.py
@@ -8,7 +8,7 @@
 
 """
 
-VERSION = (0, 63, 5, "final", 0)
+VERSION = (0, 63, 6, "final", 0)
 
 __title__ = "django-allauth"
 __version_info__ = VERSION
diff --git a/allauth/socialaccount/providers/facebook/provider.py b/allauth/socialaccount/providers/facebook/provider.py
@@ -1,4 +1,3 @@
-import json
 import requests
 import string
 from urllib.parse import quote
@@ -9,7 +8,6 @@
 from django.urls import reverse
 from django.utils.crypto import get_random_string
 from django.utils.html import escapejs
-from django.utils.safestring import mark_safe
 
 from allauth.account.models import EmailAddress
 from allauth.socialaccount.adapter import get_adapter
@@ -176,7 +174,7 @@ def abs_uri(name):
             "errorUrl": abs_uri("socialaccount_login_error"),
             "csrfToken": get_token(request),
         }
-        ctx = {"fb_data": mark_safe(json.dumps(fb_data))}
+        ctx = {"fb_data": fb_data}
         return render_to_string("facebook/fbconnect.html", ctx, request=request)
 
     def get_nonce(self, request, or_create=False, pop=False):
diff --git a/allauth/socialaccount/providers/facebook/static/facebook/js/fbconnect.js b/allauth/socialaccount/providers/facebook/static/facebook/js/fbconnect.js
@@ -29,7 +29,7 @@
   }
 
   var allauth = window.allauth = window.allauth || {}
-  var fbSettings = JSON.parse(document.getElementById('allauth-facebook-settings').innerHTML)
+  const fbSettings = JSON.parse(document.getElementById('allauth-facebook-settings').textContent)
   var fbInitialized = false
 
   allauth.facebook = {
diff --git a/allauth/socialaccount/providers/facebook/templates/facebook/fbconnect.html b/allauth/socialaccount/providers/facebook/templates/facebook/fbconnect.html
@@ -1,4 +1,4 @@
 {% load static %}
 <div id="fb-root"></div>
-<script id="allauth-facebook-settings" type="application/json">{{ fb_data }}</script>
+{{ fb_data|json_script:"allauth-facebook-settings" }}
 <script type="text/javascript" src="{% static 'facebook/js/fbconnect.js' %}"></script>
diff --git a/allauth/socialaccount/providers/facebook/tests.py b/allauth/socialaccount/providers/facebook/tests.py
@@ -1,5 +1,3 @@
-import json
-
 from django.contrib.auth import get_user_model
 from django.test.client import RequestFactory
 from django.test.utils import override_settings
@@ -130,7 +128,7 @@ def test_login_by_token(self):
     )
     def test_login_by_token_reauthenticate(self):
         resp = self.client.get(reverse("account_login"))
-        nonce = json.loads(resp.context["fb_data"])["loginOptions"]["auth_nonce"]
+        nonce = resp.context["fb_data"]["loginOptions"]["auth_nonce"]
         with mocked_response(
             {"access_token": "app_token"},
             {
diff --git a/docs/conf.py b/docs/conf.py
@@ -53,9 +53,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = "0.63.5"
+version = "0.63.6"
 # The full version, including alpha/beta/rc tags.
-release = "0.63.5"
+release = "0.63.6"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/examples/react-spa/backend/requirements.txt b/examples/react-spa/backend/requirements.txt
@@ -1,2 +1,2 @@
-django-allauth[mfa,socialaccount]>=0.63.5
+django-allauth[mfa,socialaccount]>=0.63.6
 qrcode >= 7.0.0
diff --git a/examples/regular-django/requirements.txt b/examples/regular-django/requirements.txt
@@ -1 +1 @@
-django-allauth[mfa,saml,socialaccount]>=0.63.5
+django-allauth[mfa,saml,socialaccount]>=0.63.6

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`var allauth = window.allauth = window.allauth \|\| {}`
`32`		`- var fbSettings = JSON.parse(document.getElementById('allauth-facebook-settings').innerHTML)`
	`32`	`+ const fbSettings = JSON.parse(document.getElementById('allauth-facebook-settings').textContent)`
`33`	`33`	`var fbInitialized = false`
`34`	`34`
`35`	`35`	`allauth.facebook = {`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-import json`
`2`		`-`
`3`	`1`	`from django.contrib.auth import get_user_model`
`4`	`2`	`from django.test.client import RequestFactory`
`5`	`3`	`from django.test.utils import override_settings`
`@@ -130,7 +128,7 @@ def test_login_by_token(self):`
`130`	`128`	`)`
`131`	`129`	`def test_login_by_token_reauthenticate(self):`
`132`	`130`	`resp = self.client.get(reverse("account_login"))`
`133`		`- nonce = json.loads(resp.context["fb_data"])["loginOptions"]["auth_nonce"]`
	`131`	`+ nonce = resp.context["fb_data"]["loginOptions"]["auth_nonce"]`
`134`	`132`	`with mocked_response(`
`135`	`133`	`{"access_token": "app_token"},`
`136`	`134`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-django-allauth[mfa,socialaccount]>=0.63.5`
	`1`	`+django-allauth[mfa,socialaccount]>=0.63.6`
`2`	`2`	`qrcode >= 7.0.0`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-django-allauth[mfa,saml,socialaccount]>=0.63.5`
	`1`	`+django-allauth[mfa,saml,socialaccount]>=0.63.6`