From e31616e2f3fea3f0c2b0a6127952d7a79e4d86df Mon Sep 17 00:00:00 2001
From: Rob Scanlon <robscanlon@gmail.com>
Date: Fri, 12 Nov 2021 11:42:19 -0500
Subject: [PATCH 1/3] HTML escape certain halt messages.

---
 lib/app/endpoint/home.rb               | 2 +-
 lib/app/utils/oauth2_error_messages.rb | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/app/endpoint/home.rb b/lib/app/endpoint/home.rb
index 290fb6620..49cc97453 100644
--- a/lib/app/endpoint/home.rb
+++ b/lib/app/endpoint/home.rb
@@ -29,7 +29,7 @@ class Home < Endpoint
 
           if inferno_module.nil?
             Inferno.logger.error "Unknown module: #{params[:module]}"
-            halt 404, "Unknown module: #{params[:module]}"
+            halt 404, "Unknown module: #{ERB::Util.html_escape(params[:module])}"
           end
 
           @instance = Inferno::TestingInstance.new(url: url,
diff --git a/lib/app/utils/oauth2_error_messages.rb b/lib/app/utils/oauth2_error_messages.rb
index db8550859..7e0ca252b 100644
--- a/lib/app/utils/oauth2_error_messages.rb
+++ b/lib/app/utils/oauth2_error_messages.rb
@@ -21,7 +21,7 @@ def no_instance_for_state_error_message
       def server_error_message
         return '' if params[:error].blank?
 
-        "<p>Error returned by server: <strong>#{params[:error]}</strong>.</p>"
+        "<p>Error returned by server: <strong>#{ERB::Util.html_escape(params[:error])}</strong>.</p>"
       end
 
       def server_error_description
@@ -31,18 +31,18 @@ def server_error_description
       end
 
       def bad_state_error_message
-        "State provided in redirect (#{params[:state]}) does not match expected state (#{@instance.state})."
+        "State provided in redirect (#{ERB::Util.html_escape(params[:state])}) does not match expected state (#{ERB::Util.html_escape(@instance.state)})."
       end
 
       def no_instance_for_iss_error_message
         %(
-          Error: No actively running launch sequences found for iss #{params[:iss]}.
+          Error: No actively running launch sequences found for iss #{ERB::Util.html_escape(params[:iss])}.
           Please ensure that the EHR launch test is actively running before attempting to launch Inferno from the EHR.
         )
       end
 
       def unknown_iss_error_message
-        params[:iss].present? ? "Unknown iss: #{params[:iss]}" : no_iss_error_message
+        params[:iss].present? ? "Unknown iss: #{ERB::Util.html_escape(params[:iss])}" : no_iss_error_message
       end
 
       def no_iss_error_message

From a6fa7e24a2be942e46f9b2aab9682783fc52740e Mon Sep 17 00:00:00 2001
From: Rob Scanlon <robscanlon@gmail.com>
Date: Fri, 12 Nov 2021 12:49:21 -0500
Subject: [PATCH 2/3] Split out param description like in inferno-programl.

---
 lib/app/utils/oauth2_error_messages.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/app/utils/oauth2_error_messages.rb b/lib/app/utils/oauth2_error_messages.rb
index 7e0ca252b..875a58295 100644
--- a/lib/app/utils/oauth2_error_messages.rb
+++ b/lib/app/utils/oauth2_error_messages.rb
@@ -7,7 +7,7 @@ def no_instance_for_state_error_message
         %(
           <p>
             Inferno has detected an issue with the SMART launch.
-            No actively running launch sequences found with a state of #{params[:state]}.
+            #{param_description}
             The authorization server is not returning the correct state variable and
             therefore Inferno cannot identify which server is currently under test.
             Please click your browser's "Back" button to return to Inferno,
@@ -18,6 +18,12 @@ def no_instance_for_state_error_message
         )
       end
 
+      def param_description
+        return "No 'state' parameter was returned by the authorization server." if params[:state].nil?
+
+        "No actively running launch sequences found with a 'state' parameter of '#{ERB::Util.html_escape(params[:state])}'."
+      end
+
       def server_error_message
         return '' if params[:error].blank?
 

From 4f952a15ba9f5094358c7608fcca8f5ffdc1852d Mon Sep 17 00:00:00 2001
From: Rob Scanlon <robscanlon@gmail.com>
Date: Fri, 12 Nov 2021 14:30:40 -0500
Subject: [PATCH 3/3] Fix tests.

---
 test/integration/oauth2_endpoints_test.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/test/integration/oauth2_endpoints_test.rb b/test/integration/oauth2_endpoints_test.rb
index 7a375c3b7..d7d184d1e 100644
--- a/test/integration/oauth2_endpoints_test.rb
+++ b/test/integration/oauth2_endpoints_test.rb
@@ -188,7 +188,8 @@ def test_redirect_response_not_running
 
       assert last_response.status == 500
 
-      expected_error_message = "No actively running launch sequences found with a state of #{bad_state}"
+      expected_error_message = "No actively running launch sequences found with a 'state' parameter of '#{bad_state}'"
+
       assert last_response.body.include? expected_error_message
       break
     end