From 5b5799ab62142a8d33fa40b9531919f7f2abd897 Mon Sep 17 00:00:00 2001
From: Olivier Dumont <olivier.dumont@gmail.com>
Date: Tue, 30 Dec 2025 12:46:03 +0100
Subject: [PATCH] Fix XSS vulnerability: Escape user claims in HTML output

User claims from ID tokens (username, name, email) were directly
interpolated into HTML without escaping, allowing XSS attacks if
malicious content was present in claims.

This fix:
- Imports html module for escaping
- Escapes all user-controlled data before rendering in HTML
- Escapes JSON output in pre tags as well
- Prevents execution of malicious scripts in browser
---
 validation/oidc_whoami.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/validation/oidc_whoami.py b/validation/oidc_whoami.py
index 587e77f..29aabb8 100644
--- a/validation/oidc_whoami.py
+++ b/validation/oidc_whoami.py
@@ -2,6 +2,7 @@
 import os
 import sys
 import json
+import html
 import webbrowser
 import secrets
 import time
@@ -169,13 +170,13 @@ class CallbackHandler(BaseHTTPRequestHandler):
                             <h1>✅ Welcome back!</h1>
                             <div class="user-info">
                                 <h2>User Information</h2>
-                                <p><strong>Username:</strong> {claims.get('preferred_username', claims.get('sub', 'N/A'))}</p>
-                                <p><strong>Name:</strong> {claims.get('name', 'N/A')}</p>
-                                <p><strong>Email:</strong> {claims.get('email', 'N/A')}</p>
+                                <p><strong>Username:</strong> {html.escape(str(claims.get('preferred_username', claims.get('sub', 'N/A'))))}</p>
+                                <p><strong>Name:</strong> {html.escape(str(claims.get('name', 'N/A')))}</p>
+                                <p><strong>Email:</strong> {html.escape(str(claims.get('email', 'N/A')))}</p>
                             </div>
                             <hr>
                             <h2>ID Token Claims:</h2>
-                            <pre>{json.dumps(claims, indent=2)}</pre>
+                            <pre>{html.escape(json.dumps(claims, indent=2))}</pre>
                             <a href="/logout" class="logout-btn">Logout</a>
                         </div>
                     </body>