From cacf6a653b16c0f5e31f6880a56381e0ae193493 Mon Sep 17 00:00:00 2001
From: Aaron Bishop <161021+irbishop@users.noreply.github.com>
Date: Fri, 10 Apr 2020 15:15:49 -0600
Subject: [PATCH] Fix XSS (CVE-2020-5497)

---
 .../mitre/openid/connect/web/UserInfoInterceptor.java |  6 ++++--
 .../src/main/webapp/WEB-INF/tags/topbar.tag           | 11 ++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
index ac7ab4107..8c6377c04 100644
--- a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
@@ -79,8 +79,9 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
 				// if they're logging into this server from a remote OIDC server, pass through their user info
 				OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) auth;
 				if (oidc.getUserInfo() != null) {
+					JsonElement json = gson.fromJson(oidc.getUserInfo().toJson().toString(), JsonElement.class);
 					request.setAttribute("userInfo", oidc.getUserInfo());
-					request.setAttribute("userInfoJson", oidc.getUserInfo().toJson());
+					request.setAttribute("userInfoJson", gson.toJson(json));
 				} else {
 					request.setAttribute("userInfo", null);
 					request.setAttribute("userInfoJson", "null");
@@ -94,8 +95,9 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
 
 					// if we have one, inject it so views can use it
 					if (user != null) {
+						JsonElement json = gson.fromJson(user.toJson().toString(), JsonElement.class);
 						request.setAttribute("userInfo", user);
-						request.setAttribute("userInfoJson", user.toJson());
+						request.setAttribute("userInfoJson", gson.toJson(json));
 					}
 				}
 			}
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag b/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag
index 1bce4a1c5..847bc132c 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/topbar.tag
@@ -1,24 +1,25 @@
 <%@attribute name="pageName" required="false"%>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
 <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
 <%@ taglib prefix="o" tagdir="/WEB-INF/tags"%>
 <c:choose>
 	<c:when test="${ not empty userInfo.preferredUsername }">
-		<c:set var="shortName" value="${ userInfo.preferredUsername }" />
+		<c:set var="shortName" value="${ fn:escapeXml(userInfo.preferredUsername) }" />
 	</c:when>
 	<c:otherwise>
-		<c:set var="shortName" value="${ userInfo.sub }" />
+		<c:set var="shortName" value="${ fn:escapeXml(userInfo.sub) }" />
 	</c:otherwise>
 </c:choose>
 <c:choose>
 	<c:when test="${ not empty userInfo.name }">
-		<c:set var="longName" value="${ userInfo.name }" />
+		<c:set var="longName" value="${ fn:escapeXml(userInfo.name) }" />
 	</c:when>
 	<c:otherwise>
 		<c:choose>
 			<c:when test="${ not empty userInfo.givenName || not empty userInfo.familyName }">
-				<c:set var="longName" value="${ userInfo.givenName } ${ userInfo.familyName }" />
+				<c:set var="longName" value="${ fn:escapeXml(userInfo.givenName) } ${ fn:escapeXml(userInfo.familyName) }" />
 			</c:when>
 			<c:otherwise>
 				<c:set var="longName" value="${ shortName }" />
@@ -104,4 +105,4 @@
 			$('#logoutForm').submit();
 		});
 	});
-</script>
\ No newline at end of file
+</script>