Skip to content

Commit b4b8bfc

Browse files
fenggafengga
authored
Fix S360 warning 'Cross-site scripting vulnerability due to user-provided value' (#566)
1 parent 4900473 commit b4b8bfc

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

apps/internal/local/server.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -143,9 +143,10 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
143143
headerErr := q.Get("error")
144144
if headerErr != "" {
145145
desc := html.EscapeString(q.Get("error_description"))
146+
escapedHeaderErr := html.EscapeString(headerErr)
146147
// Note: It is a little weird we handle some errors by not going to the failPage. If they all should,
147148
// change this to s.error() and make s.error() write the failPage instead of an error code.
148-
_, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc)))
149+
_, _ = w.Write([]byte(fmt.Sprintf(failPage, escapedHeaderErr, desc)))
149150
s.putResult(Result{Err: fmt.Errorf("%s", desc)})
150151

151152
return

0 commit comments

Comments
 (0)