HtmlEncode all user input in Azure OpenID sample

2016-08-22 22:30:11 -07:00 · 2016-08-22 22:30:11 -07:00 · 62f0f6e857
parent 7ea76f5e54
commit 62f0f6e857
1 changed files with 3 additions and 3 deletions
--- a/samples/OpenIdConnect.AzureAdSample/Startup.cs
+++ b/samples/OpenIdConnect.AzureAdSample/Startup.cs
@ -157,7 +157,7 @@ namespace OpenIdConnect.AzureAdSample
                            string userObjectID = context.User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
                            var result = await authContext.AcquireTokenSilentAsync(resource, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

-                            await response.WriteAsync($"<h3>access_token</h3><code>{result.AccessToken}</code><br>");
+                            await response.WriteAsync($"<h3>access_token</h3><code>{HtmlEncode(result.AccessToken)}</code><br>");
                        }
                        catch (Exception ex)
                        {
@ -184,7 +184,7 @@ namespace OpenIdConnect.AzureAdSample
            await response.WriteAsync("<tr>");
            foreach (var column in columns)
            {
-                await response.WriteAsync($"<th>{column}</th>");
+                await response.WriteAsync($"<th>{HtmlEncode(column)}</th>");
            }
            await response.WriteAsync("</tr>");
            foreach (var row in data)
@ -192,7 +192,7 @@ namespace OpenIdConnect.AzureAdSample
                await response.WriteAsync("<tr>");
                foreach (var column in row)
                {
-                    await response.WriteAsync($"<td>{column}</td>");
+                    await response.WriteAsync($"<td>{HtmlEncode(column)}</td>");
                }
                await response.WriteAsync("</tr>");
            }