Merge pull request #1037 from nextcloud/fix/login-post-escape

blizzz · web-flow · commit 05556e9e06c6 · 2026-01-29T12:02:21.000+01:00
Fix HTML injection in SAML POST login
diff --git a/templates/login_post.php b/templates/login_post.php
@@ -15,19 +15,19 @@
 p($l->t('Please wait while you are redirected to the SSO server.'));
 ?>
 
-<form action="<?= $_['ssoUrl'] ?>" method="post">
-	<input type="hidden" name="SAMLRequest" value="<?= $_['samlRequest'] ?>" />
-	<input type="hidden" name="RelayState" value="<?= $_['relayState'] ?>" />
-	<input type="hidden" name="SigAlg" value="<?= $_['sigAlg'] ?>" />
-	<input type="hidden" name="Signature" value="<?= $_['signature'] ?>" />
+<form action="<?php p($_['ssoUrl']); ?>" method="post">
+	<input type="hidden" name="SAMLRequest" value="<?php p($_['samlRequest']); ?>" />
+	<input type="hidden" name="RelayState" value="<?php p($_['relayState']); ?>" />
+	<input type="hidden" name="SigAlg" value="<?php p($_['sigAlg']); ?>" />
+	<input type="hidden" name="Signature" value="<?php p($_['signature']); ?>" />
 	<noscript>
 		<p>
 			<?php p($l->t('JavaScript is disabled in your browser. Please enable it to continue.')) ?>
 		</p>
 		<input type="submit" value="Continue" />
 	</noscript>
 </form>
-<script nonce="<?= $_['nonce'] ?>">
+<script nonce="<?php p($_['nonce']); ?>">
 	document.addEventListener('DOMContentLoaded', function() {
 		document.forms[0].submit()
 	})
diff --git a/tests/unit/Template/LoginPostTemplateTest.php b/tests/unit/Template/LoginPostTemplateTest.php
@@ -0,0 +1,66 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace {
+	if (!function_exists('p')) {
+		function p($string): void {
+			print(htmlspecialchars((string)$string, ENT_QUOTES, 'UTF-8'));
+		}
+	}
+}
+
+namespace OCA\User_SAML\Tests\Template {
+	use OCP\IL10N;
+	use OCP\Util;
+	use Test\TestCase;
+
+	class LoginPostTemplateTest extends TestCase {
+		public function testLoginPostTemplateEscapesValues(): void {
+			$l = $this->createMock(IL10N::class);
+			$l->method('t')->willReturnCallback(static fn (string $text): string => $text);
+
+			$_ = [
+				'ssoUrl' => 'https://example.com/" onmouseover="alert(1)',
+				'samlRequest' => '"><input name="submit">',
+				'relayState' => '"><img src=x onerror=alert(1)>',
+				'sigAlg' => '"><svg onload=alert(1)>',
+				'signature' => '"><div>sig</div>',
+				'nonce' => '" onload="alert(1)',
+			];
+
+			ob_start();
+			include __DIR__ . '/../../../templates/login_post.php';
+			$output = ob_get_clean();
+
+			$this->assertNotFalse($output);
+			$this->assertStringContainsString(
+				'action="' . Util::sanitizeHTML($_['ssoUrl']) . '"',
+				$output
+			);
+			$this->assertStringContainsString(
+				'name="SAMLRequest" value="' . Util::sanitizeHTML($_['samlRequest']) . '"',
+				$output
+			);
+			$this->assertStringContainsString(
+				'name="RelayState" value="' . Util::sanitizeHTML($_['relayState']) . '"',
+				$output
+			);
+			$this->assertStringContainsString(
+				'name="SigAlg" value="' . Util::sanitizeHTML($_['sigAlg']) . '"',
+				$output
+			);
+			$this->assertStringContainsString(
+				'name="Signature" value="' . Util::sanitizeHTML($_['signature']) . '"',
+				$output
+			);
+			$this->assertStringContainsString(
+				'nonce="' . Util::sanitizeHTML($_['nonce']) . '"',
+				$output
+			);
+		}
+	}
+}
