XSS Vulnerability in Auth Code

[pascalbayer]

Currently the auth.js file contains XSS vulnerabilities which allow to inject code on the error callback via URL. e.g. /_callback?error=%3Cscript%3Ealert(1)%3C/script%3E. This is possible since the query parameters for error, errorDescription and errorUri are rendered into the html body without DOM sanitization.

// Relevant lines that retrieve the query parameters, line 202-217
if (errors[queryString.error] != null) {
    error = errors[queryString.error];
} else {
    error = queryString.error;
}
...

// Relevant lines in the auth.js file that generate the html, line 412
<div class="cover"><h1>${error}</h1><small>Error 401</small><p class="lead">${errorDescription}</p><p>${errorUri}</p></div>

I would propose a fix by using https://github.com/cure53/DOMPurify to sanitize the DOM body:

const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');

const window = new JSDOM('').window;
const DOMPurify = createDOMPurify(window);
const sanitizedBody = DOMPurify.sanitize(body);

I consider this as a critical issue to fix in the sample code or at least highlight in the README as it might allow grabbing session cookies or stealing login information by rendering a login UI.

[noyceguy]

@pascalbayer thank you for pointing this security issue out. We have made the changes and merged it in.