Merge pull request #370 from IdentityPython/dev

fix: [Security] XSS in the idp url parameter

Author: Giuseppe De Marco

djangosaml2/tests/__init__.py

@@ -308,8 +308,8 @@ def test_unknown_idp(self):
             metadata_file="remote_metadata_three_idps.xml",
         )
 
-        response = self.client.get(reverse("saml2_login") + "?idp=https://unknown.org")
-        self.assertEqual(response.status_code, 403)
+        response = self.client.get(reverse("saml2_login") + "?idp=<b>https://unknown.org</b>")
+        self.assertContains(response, "&lt;b&gt;https://unknown.org&lt;/b&gt;", status_code=403)
 
     def test_login_authn_context(self):
         sp_kwargs = {

djangosaml2/views.py

@@ -30,6 +30,7 @@
 from django.template import TemplateDoesNotExist
 from django.urls import reverse
 from django.utils.decorators import method_decorator
+from django.utils.html import escape
 from django.utils.module_loading import import_string
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.csrf import csrf_exempt
@@ -152,9 +153,9 @@ def get_next_path(self, request: HttpRequest) -> str:
         return next_path
 
     def unknown_idp(self, request, idp):
-        msg = f"Error: IdP EntityID {idp} was not found in metadata"
+        msg = f"Error: IdP EntityID {escape(idp)} was not found in metadata"
         logger.error(msg)
-        return HttpResponse(msg.format("Please contact technical support."), status=403)
+        return HttpResponse(msg, status=403)
 
     def load_sso_kwargs_scoping(self, sso_kwargs):
         """Performs IdP Scoping if scoping param is present."""

setup.py

@@ -27,7 +27,7 @@ def read(*rnames):
 
 setup(
     name="djangosaml2",
-    version="1.5.5",
+    version="1.5.6",
     description="pysaml2 integration for Django",
     long_description=read("README.md"),
     long_description_content_type="text/markdown",