Merge pull request #589 from onc-healthit/fi-1365-halt-message

HTML escape certain halt messages.
onc-healthit · Nov 12, 2021 · 243607d · 243607d
2 parents 45cfade + 4f952a1
commit 243607d
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 7 deletions.
diff --git a/lib/app/endpoint/home.rb b/lib/app/endpoint/home.rb
@@ -29,7 +29,7 @@ class Home < Endpoint
 
           if inferno_module.nil?
             Inferno.logger.error "Unknown module: #{params[:module]}"
-            halt 404, "Unknown module: #{params[:module]}"
+            halt 404, "Unknown module: #{ERB::Util.html_escape(params[:module])}"
           end
 
           @instance = Inferno::TestingInstance.new(url: url,

diff --git a/lib/app/utils/oauth2_error_messages.rb b/lib/app/utils/oauth2_error_messages.rb
@@ -7,7 +7,7 @@ def no_instance_for_state_error_message
         %(
           <p>
             Inferno has detected an issue with the SMART launch.
-            No actively running launch sequences found with a state of #{params[:state]}.
+            #{param_description}
             The authorization server is not returning the correct state variable and
             therefore Inferno cannot identify which server is currently under test.
             Please click your browser's "Back" button to return to Inferno,
@@ -18,10 +18,16 @@ def no_instance_for_state_error_message
         )
       end
 
+      def param_description
+        return "No 'state' parameter was returned by the authorization server." if params[:state].nil?
+
+        "No actively running launch sequences found with a 'state' parameter of '#{ERB::Util.html_escape(params[:state])}'."
+      end
+
       def server_error_message
         return '' if params[:error].blank?
 
-        "<p>Error returned by server: <strong>#{params[:error]}</strong>.</p>"
+        "<p>Error returned by server: <strong>#{ERB::Util.html_escape(params[:error])}</strong>.</p>"
       end
 
       def server_error_description
@@ -31,18 +37,18 @@ def server_error_description
       end
 
       def bad_state_error_message
-        "State provided in redirect (#{params[:state]}) does not match expected state (#{@instance.state})."
+        "State provided in redirect (#{ERB::Util.html_escape(params[:state])}) does not match expected state (#{ERB::Util.html_escape(@instance.state)})."
       end
 
       def no_instance_for_iss_error_message
         %(
-          Error: No actively running launch sequences found for iss #{params[:iss]}.
+          Error: No actively running launch sequences found for iss #{ERB::Util.html_escape(params[:iss])}.
           Please ensure that the EHR launch test is actively running before attempting to launch Inferno from the EHR.
         )
       end
 
       def unknown_iss_error_message
-        params[:iss].present? ? "Unknown iss: #{params[:iss]}" : no_iss_error_message
+        params[:iss].present? ? "Unknown iss: #{ERB::Util.html_escape(params[:iss])}" : no_iss_error_message
       end
 
       def no_iss_error_message

diff --git a/test/integration/oauth2_endpoints_test.rb b/test/integration/oauth2_endpoints_test.rb
@@ -188,7 +188,8 @@ def test_redirect_response_not_running
 
       assert last_response.status == 500
 
-      expected_error_message = "No actively running launch sequences found with a state of #{bad_state}"
+      expected_error_message = "No actively running launch sequences found with a 'state' parameter of '#{bad_state}'"
+
       assert last_response.body.include? expected_error_message
       break
     end