fix: use text/plain for callback responses to prevent XSS

pcarleton · pcarleton · commit c34a01973623 · 2026-01-14T17:37:43.000Z
diff --git a/src/scenarios/server-auth/helpers/oauth-client.ts b/src/scenarios/server-auth/helpers/oauth-client.ts
@@ -325,30 +325,26 @@ export class ConformanceOAuthProvider implements OAuthClientProvider {
           const error = url.searchParams.get('error');
 
           if (error) {
-            res.writeHead(400, { 'Content-Type': 'text/html' });
-            res.end(
-              `<html><body><h1>Authorization Error</h1><p>${error}</p></body></html>`
-            );
+            res.writeHead(400, { 'Content-Type': 'text/plain' });
+            res.end(`Authorization Error: ${error}`);
             this._stopCallbackServer();
             reject(new Error(`Authorization error: ${error}`));
             return;
           }
 
           if (code) {
             this._authCode = code;
-            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.writeHead(200, { 'Content-Type': 'text/plain' });
             res.end(
-              `<html><body><h1>Authorization Successful!</h1><p>You can close this window and return to the terminal.</p></body></html>`
+              'Authorization successful! You can close this window and return to the terminal.'
             );
             this._stopCallbackServer();
             resolve();
             return;
           }
 
-          res.writeHead(400, { 'Content-Type': 'text/html' });
-          res.end(
-            `<html><body><h1>Missing Code</h1><p>No authorization code received.</p></body></html>`
-          );
+          res.writeHead(400, { 'Content-Type': 'text/plain' });
+          res.end('Missing authorization code');
         } else {
           res.writeHead(404);
           res.end('Not found');
