security: fix XSS vulnerability with embedded HTML templates

Move OAuth callback HTML pages to embedded template files and use
html/template which auto-escapes all template variables by default.

- Add internal/oauth/templates/error.html for authorization failures
- Add internal/oauth/templates/success.html for successful auth
- Use embed.FS to embed templates at compile time
- html/template.Execute auto-escapes ErrorMessage, fixing XSS

The error message from OAuth providers is now safely escaped before
being rendered in the HTML response, preventing reflected XSS attacks.

Author: SamMorrowDrums

internal/oauth/oauth.go

@@ -2,8 +2,10 @@ package oauth
 
 import (
 	"crypto/rand"
+	"embed"
 	"encoding/base64"
 	"fmt"
+	"html/template"
 	"io"
 	"net"
 	"net/http"
@@ -14,6 +16,26 @@ import (
 	"time"
 )
 
+//go:embed templates/*.html
+var templateFS embed.FS
+
+var (
+	errorTemplate   *template.Template
+	successTemplate *template.Template
+)
+
+func init() {
+	var err error
+	errorTemplate, err = template.ParseFS(templateFS, "templates/error.html")
+	if err != nil {
+		panic(fmt.Sprintf("failed to parse error template: %v", err))
+	}
+	successTemplate, err = template.ParseFS(templateFS, "templates/success.html")
+	if err != nil {
+		panic(fmt.Sprintf("failed to parse success template: %v", err))
+	}
+}
+
 const (
 	// DefaultAuthTimeout is the default timeout for the OAuth authorization flow
 	DefaultAuthTimeout = 5 * time.Minute
@@ -95,70 +117,10 @@ func createCallbackHandler(expectedState string, codeChan chan<- string, errChan
 			errChan <- fmt.Errorf("authorization failed: %s", errMsg)
 
 			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			fmt.Fprintf(w, `<!DOCTYPE html>
-<html>
-<head>
-<meta charset="utf-8">
-<title>Authorization Failed</title>
-<style>
-body {
-  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
-  background: linear-gradient(135deg, #0d1117 0%%, #161b22 100%%);
-  color: #e6edf3;
-  min-height: 100vh;
-  margin: 0;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-}
-.container {
-  text-align: center;
-  padding: 48px;
-  background: #21262d;
-  border-radius: 12px;
-  border: 1px solid #30363d;
-  box-shadow: 0 8px 24px rgba(0,0,0,0.4);
-  max-width: 400px;
-}
-.icon {
-  width: 64px;
-  height: 64px;
-  margin-bottom: 24px;
-}
-h1 {
-  color: #f85149;
-  font-size: 24px;
-  font-weight: 600;
-  margin: 0 0 16px 0;
-}
-p {
-  color: #8b949e;
-  margin: 8px 0;
-  line-height: 1.5;
-}
-.error {
-  background: #21262d;
-  border: 1px solid #f8514966;
-  border-radius: 6px;
-  padding: 12px;
-  margin-top: 16px;
-  font-family: monospace;
-  font-size: 13px;
-  color: #f85149;
-}
-</style>
-</head>
-<body>
-<div class="container">
-<svg class="icon" viewBox="0 0 24 24" fill="#e6edf3">
-<path d="M12 0C5.37 0 0 5.37 0 12c0 5.31 3.435 9.795 8.205 11.385.6.105.825-.255.825-.57 0-.285-.015-1.23-.015-2.235-3.015.555-3.795-.735-4.035-1.41-.135-.345-.72-1.41-1.23-1.695-.42-.225-1.02-.78-.015-.795.945-.015 1.62.87 1.845 1.23 1.08 1.815 2.805 1.305 3.495.99.105-.78.42-1.305.765-1.605-2.67-.3-5.46-1.335-5.46-5.925 0-1.305.465-2.385 1.23-3.225-.12-.3-.54-1.53.12-3.18 0 0 1.005-.315 3.3 1.23.96-.27 1.98-.405 3-.405s2.04.135 3 .405c2.295-1.56 3.3-1.23 3.3-1.23.66 1.65.24 2.88.12 3.18.765.84 1.23 1.905 1.23 3.225 0 4.605-2.805 5.625-5.475 5.925.435.375.81 1.095.81 2.22 0 1.605-.015 2.895-.015 3.3 0 .315.225.69.825.57A12.02 12.02 0 0024 12c0-6.63-5.37-12-12-12z"/>
-</svg>
-<h1>Authorization Failed</h1>
-<p class="error">%s</p>
-<p>You can close this window.</p>
-</div>
-</body>
-</html>`, errMsg)
+			// html/template auto-escapes ErrorMessage to prevent XSS
+			if err := errorTemplate.Execute(w, struct{ ErrorMessage string }{ErrorMessage: errMsg}); err != nil {
+				http.Error(w, "Internal error", http.StatusInternalServerError)
+			}
 			return
 		}
 
@@ -182,69 +144,9 @@ p {
 
 		// Display success page
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
-		fmt.Fprint(w, `<!DOCTYPE html>
-<html>
-<head>
-<meta charset="utf-8">
-<title>Authorization Successful</title>
-<style>
-body {
-  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
-  background: linear-gradient(135deg, #0d1117 0%, #161b22 100%);
-  color: #e6edf3;
-  min-height: 100vh;
-  margin: 0;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-}
-.container {
-  text-align: center;
-  padding: 48px;
-  background: #21262d;
-  border-radius: 12px;
-  border: 1px solid #30363d;
-  box-shadow: 0 8px 24px rgba(0,0,0,0.4);
-  max-width: 400px;
-}
-.icon {
-  width: 64px;
-  height: 64px;
-  margin-bottom: 24px;
-}
-h1 {
-  color: #3fb950;
-  font-size: 24px;
-  font-weight: 600;
-  margin: 0 0 16px 0;
-}
-p {
-  color: #8b949e;
-  margin: 8px 0;
-  line-height: 1.5;
-}
-.hint {
-  margin-top: 24px;
-  padding: 12px;
-  background: #161b22;
-  border-radius: 6px;
-  font-size: 14px;
-}
-</style>
-</head>
-<body>
-<div class="container">
-<svg class="icon" viewBox="0 0 24 24" fill="#e6edf3">
-<path d="M12 0C5.37 0 0 5.37 0 12c0 5.31 3.435 9.795 8.205 11.385.6.105.825-.255.825-.57 0-.285-.015-1.23-.015-2.235-3.015.555-3.795-.735-4.035-1.41-.135-.345-.72-1.41-1.23-1.695-.42-.225-1.02-.78-.015-.795.945-.015 1.62.87 1.845 1.23 1.08 1.815 2.805 1.305 3.495.99.105-.78.42-1.305.765-1.605-2.67-.3-5.46-1.335-5.46-5.925 0-1.305.465-2.385 1.23-3.225-.12-.3-.54-1.53.12-3.18 0 0 1.005-.315 3.3 1.23.96-.27 1.98-.405 3-.405s2.04.135 3 .405c2.295-1.56 3.3-1.23 3.3-1.23.66 1.65.24 2.88.12 3.18.765.84 1.23 1.905 1.23 3.225 0 4.605-2.805 5.625-5.475 5.925.435.375.81 1.095.81 2.22 0 1.605-.015 2.895-.015 3.3 0 .315.225.69.825.57A12.02 12.02 0 0024 12c0-6.63-5.37-12-12-12z"/>
-</svg>
-<h1>Authorization Successful</h1>
-<p>You have successfully authorized the GitHub MCP Server.</p>
-<div class="hint">
-<p>You can close this window and retry your request.</p>
-</div>
-</div>
-</body>
-</html>`)
+		if err := successTemplate.Execute(w, nil); err != nil {
+			http.Error(w, "Internal error", http.StatusInternalServerError)
+		}
 	})
 
 	return mux

internal/oauth/templates/error.html

@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Authorization Failed</title>
+<style>
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
+  background: linear-gradient(135deg, #0d1117 0%, #161b22 100%);
+  color: #e6edf3;
+  min-height: 100vh;
+  margin: 0;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+}
+.container {
+  text-align: center;
+  padding: 48px;
+  background: #21262d;
+  border-radius: 12px;
+  border: 1px solid #30363d;
+  box-shadow: 0 8px 24px rgba(0,0,0,0.4);
+  max-width: 400px;
+}
+.icon {
+  width: 64px;
+  height: 64px;
+  margin-bottom: 24px;
+}
+h1 {
+  color: #f85149;
+  font-size: 24px;
+  font-weight: 600;
+  margin: 0 0 16px 0;
+}
+p {
+  color: #8b949e;
+  margin: 8px 0;
+  line-height: 1.5;
+}
+.error {
+  background: #21262d;
+  border: 1px solid #f8514966;
+  border-radius: 6px;
+  padding: 12px;
+  margin-top: 16px;
+  font-family: monospace;
+  font-size: 13px;
+  color: #f85149;
+}
+</style>
+</head>
+<body>
+<div class="container">
+<svg class="icon" viewBox="0 0 24 24" fill="#e6edf3">
+<path d="M12 0C5.37 0 0 5.37 0 12c0 5.31 3.435 9.795 8.205 11.385.6.105.825-.255.825-.57 0-.285-.015-1.23-.015-2.235-3.015.555-3.795-.735-4.035-1.41-.135-.345-.72-1.41-1.23-1.695-.42-.225-1.02-.78-.015-.795.945-.015 1.62.87 1.845 1.23 1.08 1.815 2.805 1.305 3.495.99.105-.78.42-1.305.765-1.605-2.67-.3-5.46-1.335-5.46-5.925 0-1.305.465-2.385 1.23-3.225-.12-.3-.54-1.53.12-3.18 0 0 1.005-.315 3.3 1.23.96-.27 1.98-.405 3-.405s2.04.135 3 .405c2.295-1.56 3.3-1.23 3.3-1.23.66 1.65.24 2.88.12 3.18.765.84 1.23 1.905 1.23 3.225 0 4.605-2.805 5.625-5.475 5.925.435.375.81 1.095.81 2.22 0 1.605-.015 2.895-.015 3.3 0 .315.225.69.825.57A12.02 12.02 0 0024 12c0-6.63-5.37-12-12-12z"/>
+</svg>
+<h1>Authorization Failed</h1>
+<p class="error">{{.ErrorMessage}}</p>
+<p>You can close this window.</p>
+</div>
+</body>
+</html>

internal/oauth/templates/success.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Authorization Successful</title>
+<style>
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
+  background: linear-gradient(135deg, #0d1117 0%, #161b22 100%);
+  color: #e6edf3;
+  min-height: 100vh;
+  margin: 0;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+}
+.container {
+  text-align: center;
+  padding: 48px;
+  background: #21262d;
+  border-radius: 12px;
+  border: 1px solid #30363d;
+  box-shadow: 0 8px 24px rgba(0,0,0,0.4);
+  max-width: 400px;
+}
+.icon {
+  width: 64px;
+  height: 64px;
+  margin-bottom: 24px;
+}
+h1 {
+  color: #3fb950;
+  font-size: 24px;
+  font-weight: 600;
+  margin: 0 0 16px 0;
+}
+p {
+  color: #8b949e;
+  margin: 8px 0;
+  line-height: 1.5;
+}
+.hint {
+  margin-top: 24px;
+  padding: 12px;
+  background: #161b22;
+  border-radius: 6px;
+  font-size: 14px;
+}
+</style>
+</head>
+<body>
+<div class="container">
+<svg class="icon" viewBox="0 0 24 24" fill="#e6edf3">
+<path d="M12 0C5.37 0 0 5.37 0 12c0 5.31 3.435 9.795 8.205 11.385.6.105.825-.255.825-.57 0-.285-.015-1.23-.015-2.235-3.015.555-3.795-.735-4.035-1.41-.135-.345-.72-1.41-1.23-1.695-.42-.225-1.02-.78-.015-.795.945-.015 1.62.87 1.845 1.23 1.08 1.815 2.805 1.305 3.495.99.105-.78.42-1.305.765-1.605-2.67-.3-5.46-1.335-5.46-5.925 0-1.305.465-2.385 1.23-3.225-.12-.3-.54-1.53.12-3.18 0 0 1.005-.315 3.3 1.23.96-.27 1.98-.405 3-.405s2.04.135 3 .405c2.295-1.56 3.3-1.23 3.3-1.23.66 1.65.24 2.88.12 3.18.765.84 1.23 1.905 1.23 3.225 0 4.605-2.805 5.625-5.475 5.925.435.375.81 1.095.81 2.22 0 1.605-.015 2.895-.015 3.3 0 .315.225.69.825.57A12.02 12.02 0 0024 12c0-6.63-5.37-12-12-12z"/>
+</svg>
+<h1>Authorization Successful</h1>
+<p>You have successfully authorized the GitHub MCP Server.</p>
+<div class="hint">
+<p>You can close this window and retry your request.</p>
+</div>
+</div>
+</body>
+</html>