From 76c824ab32db6fc30c06b3ff3d7a250564ad4369 Mon Sep 17 00:00:00 2001
From: Tim Nolte <tnolte@forumone.com>
Date: Wed, 24 Mar 2021 09:42:51 -0400
Subject: [PATCH] Fixes Login Page XSS Issue (#283)

- Adds escaping to the errot output message.
- Adds escaping to the login button output.
---
 .../openid-connect-generic-login-form.php     |   7 +-
 package-lock.json                             | 134 ++++++++++--------
 2 files changed, 80 insertions(+), 61 deletions(-)

diff --git a/includes/openid-connect-generic-login-form.php b/includes/openid-connect-generic-login-form.php
index 401b463..a64924d 100644
--- a/includes/openid-connect-generic-login-form.php
+++ b/includes/openid-connect-generic-login-form.php
@@ -132,7 +132,8 @@ class OpenID_Connect_Generic_Login_Form {
 	function handle_login_page( $message ) {
 
 		if ( isset( $_GET['login-error'] ) ) {
-			$message .= $this->make_error_output( $_GET['login-error'], $_GET['message'] );
+			$error_message = ! empty( $_GET['message'] ) ? $_GET['message'] : 'Unknown error.';
+			$message .= $this->make_error_output( $_GET['login-error'], $error_message );
 		}
 
 		// Login button is appended to existing messages in case of error.
@@ -158,7 +159,7 @@ class OpenID_Connect_Generic_Login_Form {
 			<?php print esc_html( $error_message ); ?>
 		</div>
 		<?php
-		return ob_get_clean();
+		return wp_kses_post( ob_get_clean() );
 	}
 
 	/**
@@ -184,7 +185,7 @@ class OpenID_Connect_Generic_Login_Form {
 			<a class="button button-large" href="<?php print esc_url( $href ); ?>"><?php print $text; ?></a>
 		</div>
 		<?php
-		return ob_get_clean();
+		return wp_kses_post( ob_get_clean() );
 	}
 
 	/**
diff --git a/package-lock.json b/package-lock.json
index a952a62..c50a7e3 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2239,12 +2239,6 @@
 				"@types/unist": "*"
 			}
 		},
-		"@types/mime-types": {
-			"version": "2.1.0",
-			"resolved": "https://registry.npmjs.org/@types/mime-types/-/mime-types-2.1.0.tgz",
-			"integrity": "sha1-nKUs2jY/aZxpRmwqbM2q2RPqenM=",
-			"dev": true
-		},
 		"@types/minimatch": {
 			"version": "3.0.3",
 			"resolved": "https://registry.npmjs.org/@types/minimatch/-/minimatch-3.0.3.tgz",
@@ -2425,16 +2419,6 @@
 			"integrity": "sha512-37RSHht+gzzgYeobbG+KWryeAW8J33Nhr69cjTqSYymXVZEN9NbRYWoYlRtDhHKPVT1FyNKwaTPC1NynKZpzRA==",
 			"dev": true
 		},
-		"@types/yauzl": {
-			"version": "2.9.1",
-			"resolved": "https://registry.npmjs.org/@types/yauzl/-/yauzl-2.9.1.tgz",
-			"integrity": "sha512-A1b8SU4D10uoPjwb0lnHmmu8wZhR9d+9o2PKBQT2jU5YPTKsxac6M2qGAdY7VcL+dHHhARVUDmeg0rOrcd9EjA==",
-			"dev": true,
-			"optional": true,
-			"requires": {
-				"@types/node": "*"
-			}
-		},
 		"@typescript-eslint/experimental-utils": {
 			"version": "2.34.0",
 			"resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-2.34.0.tgz",
@@ -2970,6 +2954,18 @@
 						"buffer": "^5.5.0",
 						"inherits": "^2.0.4",
 						"readable-stream": "^3.4.0"
+					},
+					"dependencies": {
+						"buffer": {
+							"version": "5.7.1",
+							"resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+							"integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
+							"dev": true,
+							"requires": {
+								"base64-js": "^1.3.1",
+								"ieee754": "^1.1.13"
+							}
+						}
 					}
 				},
 				"chalk": {
@@ -3074,6 +3070,18 @@
 						"debug": "^4.1.1",
 						"get-stream": "^5.1.0",
 						"yauzl": "^2.10.0"
+					},
+					"dependencies": {
+						"@types/yauzl": {
+							"version": "2.9.1",
+							"resolved": "https://registry.npmjs.org/@types/yauzl/-/yauzl-2.9.1.tgz",
+							"integrity": "sha512-A1b8SU4D10uoPjwb0lnHmmu8wZhR9d+9o2PKBQT2jU5YPTKsxac6M2qGAdY7VcL+dHHhARVUDmeg0rOrcd9EjA==",
+							"dev": true,
+							"optional": true,
+							"requires": {
+								"@types/node": "*"
+							}
+						}
 					}
 				},
 				"has-flag": {
@@ -3082,6 +3090,12 @@
 					"integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
 					"dev": true
 				},
+				"prettier": {
+					"version": "npm:wp-prettier@2.0.5",
+					"resolved": "https://registry.npmjs.org/wp-prettier/-/wp-prettier-2.0.5.tgz",
+					"integrity": "sha512-5GCgdeevIXwR3cW4Qj5XWC5MO1iSCz8+IPn0mMw6awAt/PBiey8yyO7MhePRsaMqghJAhg6Q3QLYWSnUHWkG6A==",
+					"dev": true
+				},
 				"puppeteer": {
 					"version": "npm:puppeteer-core@3.0.0",
 					"resolved": "https://registry.npmjs.org/puppeteer-core/-/puppeteer-core-3.0.0.tgz",
@@ -3100,6 +3114,44 @@
 						"tar-fs": "^2.0.0",
 						"unbzip2-stream": "^1.3.3",
 						"ws": "^7.2.3"
+					},
+					"dependencies": {
+						"@types/mime-types": {
+							"version": "2.1.0",
+							"resolved": "https://registry.npmjs.org/@types/mime-types/-/mime-types-2.1.0.tgz",
+							"integrity": "sha1-nKUs2jY/aZxpRmwqbM2q2RPqenM=",
+							"dev": true
+						},
+						"buffer": {
+							"version": "5.7.1",
+							"resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+							"integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
+							"dev": true,
+							"requires": {
+								"base64-js": "^1.3.1",
+								"ieee754": "^1.1.13"
+							}
+						},
+						"https-proxy-agent": {
+							"version": "4.0.0",
+							"resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-4.0.0.tgz",
+							"integrity": "sha512-zoDhWrkR3of1l9QAL8/scJZyLu8j/gBkcwcaQOZh7Gyh/+uJQzGVETdgT30akuwkpL8HTRfssqI3BZuV18teDg==",
+							"dev": true,
+							"requires": {
+								"agent-base": "5",
+								"debug": "4"
+							}
+						},
+						"unbzip2-stream": {
+							"version": "1.4.3",
+							"resolved": "https://registry.npmjs.org/unbzip2-stream/-/unbzip2-stream-1.4.3.tgz",
+							"integrity": "sha512-mlExGW4w71ebDJviH16lQLtZS32VKqsSfk80GCfUlwT/4/hNRFsoscrF/c++9xinkMzECL1uL9DDwXqFWkruPg==",
+							"dev": true,
+							"requires": {
+								"buffer": "^5.2.1",
+								"through": "^2.3.8"
+							}
+						}
 					}
 				},
 				"readable-stream": {
@@ -3147,6 +3199,14 @@
 						"mkdirp-classic": "^0.5.2",
 						"pump": "^3.0.0",
 						"tar-stream": "^2.1.4"
+					},
+					"dependencies": {
+						"mkdirp-classic": {
+							"version": "0.5.3",
+							"resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
+							"integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==",
+							"dev": true
+						}
 					}
 				},
 				"tar-stream": {
@@ -4316,16 +4376,6 @@
 				"node-int64": "^0.4.0"
 			}
 		},
-		"buffer": {
-			"version": "5.7.1",
-			"resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
-			"integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
-			"dev": true,
-			"requires": {
-				"base64-js": "^1.3.1",
-				"ieee754": "^1.1.13"
-			}
-		},
 		"buffer-alloc": {
 			"version": "1.2.0",
 			"resolved": "https://registry.npmjs.org/buffer-alloc/-/buffer-alloc-1.2.0.tgz",
@@ -8858,16 +8908,6 @@
 			"integrity": "sha1-7AbBDgo0wPL68Zn3/X/Hj//QPHM=",
 			"dev": true
 		},
-		"https-proxy-agent": {
-			"version": "4.0.0",
-			"resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-4.0.0.tgz",
-			"integrity": "sha512-zoDhWrkR3of1l9QAL8/scJZyLu8j/gBkcwcaQOZh7Gyh/+uJQzGVETdgT30akuwkpL8HTRfssqI3BZuV18teDg==",
-			"dev": true,
-			"requires": {
-				"agent-base": "5",
-				"debug": "4"
-			}
-		},
 		"human-signals": {
 			"version": "1.1.1",
 			"resolved": "https://registry.npmjs.org/human-signals/-/human-signals-1.1.1.tgz",
@@ -12604,12 +12644,6 @@
 				"minimist": "^1.2.5"
 			}
 		},
-		"mkdirp-classic": {
-			"version": "0.5.3",
-			"resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
-			"integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==",
-			"dev": true
-		},
 		"moo": {
 			"version": "0.5.1",
 			"resolved": "https://registry.npmjs.org/moo/-/moo-0.5.1.tgz",
@@ -18109,12 +18143,6 @@
 			"integrity": "sha1-1PRWKwzjaW5BrFLQ4ALlemNdxtw=",
 			"dev": true
 		},
-		"prettier": {
-			"version": "npm:wp-prettier@2.0.5",
-			"resolved": "https://registry.npmjs.org/wp-prettier/-/wp-prettier-2.0.5.tgz",
-			"integrity": "sha512-5GCgdeevIXwR3cW4Qj5XWC5MO1iSCz8+IPn0mMw6awAt/PBiey8yyO7MhePRsaMqghJAhg6Q3QLYWSnUHWkG6A==",
-			"dev": true
-		},
 		"prettier-linter-helpers": {
 			"version": "1.0.0",
 			"resolved": "https://registry.npmjs.org/prettier-linter-helpers/-/prettier-linter-helpers-1.0.0.tgz",
@@ -21378,16 +21406,6 @@
 				"which-boxed-primitive": "^1.0.1"
 			}
 		},
-		"unbzip2-stream": {
-			"version": "1.4.3",
-			"resolved": "https://registry.npmjs.org/unbzip2-stream/-/unbzip2-stream-1.4.3.tgz",
-			"integrity": "sha512-mlExGW4w71ebDJviH16lQLtZS32VKqsSfk80GCfUlwT/4/hNRFsoscrF/c++9xinkMzECL1uL9DDwXqFWkruPg==",
-			"dev": true,
-			"requires": {
-				"buffer": "^5.2.1",
-				"through": "^2.3.8"
-			}
-		},
 		"unc-path-regex": {
 			"version": "0.1.2",
 			"resolved": "https://registry.npmjs.org/unc-path-regex/-/unc-path-regex-0.1.2.tgz",