Merge pull request #559 from joshjacobson/fix/xss-oauth-responses

taylorwilsdon · web-flow · commit 8563ef89b9d9 · 2026-04-24T09:53:22.000-04:00
fix: escape HTML in OAuth callback responses to prevent XSS
diff --git a/auth/oauth_responses.py b/auth/oauth_responses.py
@@ -5,6 +5,7 @@
 to eliminate duplication between server.py and oauth_callback_server.py.
 """
 
+from html import escape as html_escape
 from fastapi.responses import HTMLResponse
 from typing import Optional
 
@@ -25,7 +26,7 @@ def create_error_response(error_message: str, status_code: int = 400) -> HTMLRes
         <head><title>Authentication Error</title></head>
         <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 600px; margin: 40px auto; padding: 20px; text-align: center;">
             <h2 style="color: #d32f2f;">Authentication Error</h2>
-            <p>{error_message}</p>
+            <p>{html_escape(error_message)}</p>
             <p>Please ensure you grant the requested permissions. You can close this tab and try again.</p>
         </body>
         </html>
@@ -193,7 +194,7 @@ def create_success_response(verified_user_id: Optional[str] = None) -> HTMLRespo
         <div class="icon">✓</div>
         <h1>Authentication Successful</h1>
         <div class="message">
-            You've been authenticated as <span class="user-id">{user_display}</span>
+            You've been authenticated as <span class="user-id">{html_escape(user_display)}</span>
         </div>
         <div class="message">
             Your credentials have been securely saved. You can now close this tab and retry your original command.
@@ -221,7 +222,7 @@ def create_server_error_response(error_detail: str) -> HTMLResponse:
         <head><title>Authentication Processing Error</title></head>
         <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 600px; margin: 40px auto; padding: 20px; text-align: center;">
             <h2 style="color: #d32f2f;">Authentication Processing Error</h2>
-            <p>An unexpected error occurred while processing your authentication: {error_detail}</p>
+            <p>An unexpected error occurred while processing your authentication: {html_escape(error_detail)}</p>
             <p>Please try again. You can close this tab.</p>
         </body>
         </html>
diff --git a/tests/auth/__init__.py b/tests/auth/__init__.py
diff --git a/tests/auth/test_oauth_responses.py b/tests/auth/test_oauth_responses.py
@@ -0,0 +1,60 @@
+"""Tests for XSS prevention in OAuth callback HTML responses."""
+
+from auth.oauth_responses import (
+    create_error_response,
+    create_server_error_response,
+    create_success_response,
+)
+
+
+class TestXSSPrevention:
+    def test_error_response_escapes_script_tag(self):
+        xss_payload = '<script>alert("xss")</script>'
+        response = create_error_response(xss_payload)
+        body = response.body.decode()
+        assert "<script>alert" not in body
+        assert "&lt;script&gt;" in body
+
+    def test_error_response_escapes_html_entities(self):
+        response = create_error_response('Test <b>bold</b> & "quotes"')
+        body = response.body.decode()
+        assert "<b>" not in body
+        assert "&lt;b&gt;" in body
+        assert "&amp;" in body
+
+    def test_success_response_escapes_user_display(self):
+        xss_email = "<img src=x onerror=alert(1)>@evil.com"
+        response = create_success_response(verified_user_id=xss_email)
+        body = response.body.decode()
+        # The raw <img> tag should not appear — only the escaped version
+        assert "<img src=" not in body
+        assert "&lt;img src=x onerror=alert(1)&gt;@evil.com" in body
+
+    def test_success_response_normal_email_displays_correctly(self):
+        response = create_success_response(verified_user_id="user@example.com")
+        body = response.body.decode()
+        assert "user@example.com" in body
+
+    def test_success_response_none_user_shows_default(self):
+        response = create_success_response(verified_user_id=None)
+        body = response.body.decode()
+        assert "Google User" in body
+
+    def test_server_error_response_escapes_exception(self):
+        xss_detail = "FileNotFoundError: /secret/path/<script>alert(1)</script>"
+        response = create_server_error_response(xss_detail)
+        body = response.body.decode()
+        assert "<script>alert" not in body
+        assert "&lt;script&gt;" in body
+
+    def test_error_response_status_code(self):
+        response = create_error_response("test", status_code=403)
+        assert response.status_code == 403
+
+    def test_server_error_response_status_code(self):
+        response = create_server_error_response("test")
+        assert response.status_code == 500
+
+    def test_success_response_status_code(self):
+        response = create_success_response("user@example.com")
+        assert response.status_code == 200
