Malicious javascript can be injected through the error url parameter. This needs to be fixed to use the .text() method instead.
I'm reporting publicly since this is the "hacks" folder, demo ui and unlikely to be used in production. Feel free to restrict the issue if you deem otherwise.
amdonov
commented
4 years ago
Hi, there is a cross site scripting security vulnerability in the demo ui: https://github.com/amdonov/lite-idp/blob/3886dff6987fcde7a6f8b047affdd33c2ec75c29/hack/ui/index.js#L24
Malicious javascript can be injected through the error url parameter. This needs to be fixed to use the .text() method instead.
I'm reporting publicly since this is the "hacks" folder, demo ui and unlikely to be used in production. Feel free to restrict the issue if you deem otherwise.