From cfce58706e7206519a00d86dc8ebb10f522d829c Mon Sep 17 00:00:00 2001
From: Andrea Piai <andrea.piai@pagopa.it>
Date: Tue, 29 Oct 2024 16:50:33 +0100
Subject: [PATCH] HTML escape for FIMS

---
 package.json                                  |  2 ++
 src/features/fims/services/providerService.ts | 17 ++++++++++-------
 yarn.lock                                     |  9 +++++++--
 3 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/package.json b/package.json
index a44aeb8c..bb32f539 100644
--- a/package.json
+++ b/package.json
@@ -84,6 +84,7 @@
     "cookie-parser": "^1.4.6",
     "crypto": "^1.0.1",
     "date-fns": "^2.27.0",
+    "escape-html": "^1.0.3",
     "express": "4.20.0",
     "figlet": "^1.5.2",
     "fp-ts": "^2.16.0",
@@ -109,6 +110,7 @@
     "@types/body-parser": "^1.19.2",
     "@types/cookie-parser": "^1.4.7",
     "@types/date-fns": "^2.6.0",
+    "@types/escape-html": "^1.0.4",
     "@types/express": "^4.17.21",
     "@types/figlet": "^1.5.4",
     "@types/jest": "^27.4.0",
diff --git a/src/features/fims/services/providerService.ts b/src/features/fims/services/providerService.ts
index ae6bf45c..2551d0b5 100644
--- a/src/features/fims/services/providerService.ts
+++ b/src/features/fims/services/providerService.ts
@@ -1,3 +1,4 @@
+import escapeHTML from "escape-html";
 import { ioDevServerConfig } from "../../../config";
 import { IoDevServerConfig } from "../../../types/config";
 import { ProviderConfig } from "../types/config";
@@ -25,16 +26,18 @@ export const generatePermissionHTML = (
 <body>
   <div>
     <h3>Autorizzi l'invio dei dati?</h3>
-    <p>I seguenti dati stanno per essere condivisi con <strong>${relyingPartyName}</strong></p>
-    <p><strong>${scopes?.join(" ")}</strong></p>
-    <form autocomplete="off" action="${confirmUrl}" method="post">
+    <p><strong>${escapeHTML(scopes?.join(" "))}</strong></p>
+    <p>I seguenti dati stanno per essere condivisi con <strong>${escapeHTML(
+      relyingPartyName
+    )}</strong></p>
+    <form autocomplete="off" action="${escapeHTML(confirmUrl)}" method="post">
       <div>
         <input id="checkbox10" type="checkbox" name="to_remember" aria-labelledby="checkbox10-help">
         <label for="checkbox10">Non richiedere più</label>
       </div>
       <br/>
       <div>
-        <a href="${abortUrl}">Annulla</a>
+        <a href="${escapeHTML(abortUrl)}">Annulla</a>
         <button autotype="button">Conferma</button>
       </div>
     </form>
@@ -58,9 +61,9 @@ export const generateIdTokenRedirectHTML = (
   <script>document.addEventListener('DOMContentLoaded', function () { document.forms[0].submit() });</script>
 </head>
 <body>
-  <form method="post" action="${redirectUrl}">
-    <input type="hidden" name="id_token" value="${idToken}"/>
-    <input type="hidden" name="state" value="${relyingPartyState}"/>
+  <form method="post" action="${escapeHTML(redirectUrl)}">
+    <input type="hidden" name="id_token" value="${escapeHTML(idToken)}"/>
+    <input type="hidden" name="state" value="${escapeHTML(relyingPartyState)}"/>
     <noscript>Your browser does not support JavaScript or you've disabled it.<br/>
       <button autofocus type="submit">Continue</button>
     </noscript>
diff --git a/yarn.lock b/yarn.lock
index 9e393127..133486e8 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1063,6 +1063,11 @@
   dependencies:
     date-fns "*"
 
+"@types/escape-html@^1.0.4":
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/@types/escape-html/-/escape-html-1.0.4.tgz#dc7c166b76c7b03b27e32f80edf01d91eb5d9af2"
+  integrity sha512-qZ72SFTgUAZ5a7Tj6kf2SHLetiH5S6f8G5frB2SPQ3EyF02kxdyBFf4Tz4banE3xCgGnKgWLt//a6VuYHKYJTg==
+
 "@types/express-serve-static-core@*":
   version "4.17.0"
   resolved "https://registry.yarnpkg.com/@types/express-serve-static-core/-/express-serve-static-core-4.17.0.tgz#e80c25903df5800e926402b7e8267a675c54a281"
@@ -2631,10 +2636,10 @@ escape-goat@^2.0.0:
   resolved "https://registry.yarnpkg.com/escape-goat/-/escape-goat-2.1.1.tgz#1b2dc77003676c457ec760b2dc68edb648188675"
   integrity sha512-8/uIhbG12Csjy2JEW7D9pHbreaVaS/OpN3ycnyvElTdwM5n6GY6W6e2IPemfvGZeUMqZ9A/3GqIZMgKnBhAw/Q==
 
-escape-html@~1.0.3:
+escape-html@^1.0.3, escape-html@~1.0.3:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988"
-  integrity sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=
+  integrity sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==
 
 escape-string-regexp@4.0.0, escape-string-regexp@^4.0.0:
   version "4.0.0"