From 82162ec753e3fd22dc627a3d4fd7542b30de6364 Mon Sep 17 00:00:00 2001
From: Robbie Paul <robbie.paul@dxw.com>
Date: Thu, 20 Apr 2017 13:30:27 +0100
Subject: [PATCH] Escape the error message

* This commit prevents a possible reflected XSS
---
 includes/openid-connect-generic-client-wrapper.php | 2 +-
 includes/openid-connect-generic-login-form.php     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/openid-connect-generic-client-wrapper.php b/includes/openid-connect-generic-client-wrapper.php
index 44b2f01..a2ceeb2 100644
--- a/includes/openid-connect-generic-client-wrapper.php
+++ b/includes/openid-connect-generic-client-wrapper.php
@@ -441,7 +441,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
 		// you did great, have a cookie!
 		$this->issue_token_refresh_info_cookie( $user->ID, $token_response );
 		wp_set_auth_cookie( $user->ID, FALSE );
-        do_action( 'wp_login', $user->user_login, $user );
+		do_action( 'wp_login', $user->user_login, $user );
 	}
 
 	/**
diff --git a/includes/openid-connect-generic-login-form.php b/includes/openid-connect-generic-login-form.php
index 18d1a4d..8068211 100644
--- a/includes/openid-connect-generic-login-form.php
+++ b/includes/openid-connect-generic-login-form.php
@@ -113,7 +113,7 @@ class OpenID_Connect_Generic_Login_Form {
 		?>
 		<div id="login_error">
 			<strong><?php _e( 'ERROR'); ?>: </strong>
-			<?php print $error_message; ?>
+			<?php print esc_html($error_message); ?>
 		</div>
 		<?php
 		return ob_get_clean();