samlify icon indicating copy to clipboard operation
samlify copied to clipboard
verified publisher icon tngan

Invalid XML attributes due to characters not escaped

Open jer-sen opened this issue 2 years ago • 2 comments

For example, a & in ACS URL is not replaced by & in the loginRequestRedirectURL function so the generated XML is not valid and authentication fails. More important, this could lead to security issues (XML injection).

Solution: do NOT use replaceTagsByValue in an XML template without escaping the values!

jer-sen avatar Jul 10 '23 16:07 jer-sen

@jer-sen replaceTagsByValue is definitely not the optimal function to construct xml, it's doing string interpolation. I will draft a new function and add a deprecation warning for this function.

tngan avatar Jul 24 '23 07:07 tngan

@tngan I have a fix at https://github.com/Carriyo/samlify/tree/xml-entity-escape (though tests werent working for me. There is an issue with test setup, which is topic for another discussion. once tests are running, tests pass.)

The assumption is that if an interpolation begins with a double quote (e.g. "{ID}) then its an interpolation within an XML attribute that needs character entity escaping. This assumption seems to hold for your current templates.

Raised a PR: https://github.com/tngan/samlify/pull/523. I haven't followed all the repo conventions yet. I could do those as another commit on the branch.

Munawwar avatar Aug 16 '23 14:08 Munawwar