Added HTML encoding anywhere that uncontrolled data is rendered to a web pgae.

4 files changed, 9 insertions, 9 deletions

diff --git a/projecttemplates/WebFormsRelyingParty/Default.aspx.cs b/projecttemplates/WebFormsRelyingParty/Default.aspx.cs
index a72fce1..72e8973 100644
--- a/projecttemplates/WebFormsRelyingParty/Default.aspx.cs
+++ b/projecttemplates/WebFormsRelyingParty/Default.aspx.cs
@@ -15,7 +15,7 @@ namespace WebFormsRelyingParty {
 	public partial class _Default : System.Web.UI.Page {
 		protected void Page_Load(object sender, EventArgs e) {
 			User user = Global.LoggedInUser;
-			this.Label1.Text = user != null ? user.FirstName : "<not logged in>";
+			this.Label1.Text = user != null ? HttpUtility.HtmlEncode(user.FirstName) : "<not logged in>";
 		}
 	}
 }
diff --git a/projecttemplates/WebFormsRelyingParty/LoginFrame.aspx.cs b/projecttemplates/WebFormsRelyingParty/LoginFrame.aspx.cs
index b8a9f29..0d7e7fc 100644
--- a/projecttemplates/WebFormsRelyingParty/LoginFrame.aspx.cs
+++ b/projecttemplates/WebFormsRelyingParty/LoginFrame.aspx.cs
@@ -39,13 +39,13 @@
 
 		protected void openIdSelector_Failed(object sender, OpenIdEventArgs e) {
 			if (e.Response.Exception != null) {
-				this.errorMessageLabel.Text = e.Response.Exception.ToStringDescriptive();
+				this.errorMessageLabel.Text = HttpUtility.HtmlEncode(e.Response.Exception.ToStringDescriptive());
 			}
 			this.errorPanel.Visible = true;
 		}
 
 		protected void openIdSelector_TokenProcessingError(object sender, TokenProcessingErrorEventArgs e) {
-			this.errorMessageLabel.Text = e.Exception.ToStringDescriptive();
+			this.errorMessageLabel.Text = HttpUtility.HtmlEncode(e.Exception.ToStringDescriptive());
 			this.errorPanel.Visible = true;
 		}
 
diff --git a/projecttemplates/WebFormsRelyingParty/Members/AccountInfo.aspx b/projecttemplates/WebFormsRelyingParty/Members/AccountInfo.aspx
index b6066b7..4b7d1da 100644
--- a/projecttemplates/WebFormsRelyingParty/Members/AccountInfo.aspx
+++ b/projecttemplates/WebFormsRelyingParty/Members/AccountInfo.aspx
@@ -89,9 +89,9 @@
 				</HeaderTemplate>
 				<ItemTemplate>
 					<li>
-						<asp:Label runat="server" Text='<%# Eval("Consumer.Name") %>' />
+						<asp:Label runat="server" Text='<%# HttpUtility.HtmlEncode(Eval("Consumer.Name").ToString()) %>' />
 						-
-						<asp:Label ID="Label1" runat="server" Text='<%# Eval("CreatedOn") %>' ForeColor="Gray" />
+						<asp:Label ID="Label1" runat="server" Text='<%# HttpUtility.HtmlEncode(Eval("CreatedOn").ToString()) %>' ForeColor="Gray" />
 						-
 						<asp:LinkButton ID="revokeLink" runat="server" Text="revoke" OnCommand="revokeToken_Command"
 							CommandName="revokeToken" CommandArgument='<%# Eval("Token") %>' />
@@ -112,7 +112,7 @@
 		</HeaderTemplate>
 		<ItemTemplate>
 			<li class='<%# ((bool)Eval("IsInfoCard")) ? "InfoCard" : "OpenID" %>'>
-				<asp:Label ID="OpenIdClaimedIdentifierLabel" runat="server" Text='<%# Eval("FriendlyIdentifier") %>'
+				<asp:Label ID="OpenIdClaimedIdentifierLabel" runat="server" Text='<%# HttpUtility.HtmlEncode(Eval("FriendlyIdentifier").ToString()) %>'
 					ToolTip='<%# Eval("ClaimedIdentifier") %>' />
 				<asp:Label runat="server" ForeColor="Gray" Text="(current login token)" ToolTip="To delete this token, you must log in using some other token."
 					Visible='<%# String.Equals((string)Eval("ClaimedIdentifier"), Page.User.Identity.Name, StringComparison.Ordinal) %>' />
diff --git a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
index 944494e..044e9c0 100644
--- a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
+++ b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
@@ -27,8 +27,8 @@ namespace WebFormsRelyingParty.Members {
 				this.consumerNameLabel.Text = HttpUtility.HtmlEncode(OAuthServiceProvider.PendingAuthorizationConsumer.Name);
 				OAuth10ConsumerWarning.Visible = pendingRequest.IsUnsafeRequest;
 
-				serviceProviderDomainNameLabel.Text = this.Request.Url.Host;
-				this.consumerDomainNameLabel3.Text = this.consumerDomainNameLabel2.Text = this.consumerDomainNameLabel1.Text = OAuthServiceProvider.PendingAuthorizationConsumer.Name;
+				serviceProviderDomainNameLabel.Text = HttpUtility.HtmlEncode(this.Request.Url.Host);
+				this.consumerDomainNameLabel3.Text = this.consumerDomainNameLabel2.Text = this.consumerDomainNameLabel1.Text = HttpUtility.HtmlEncode(OAuthServiceProvider.PendingAuthorizationConsumer.Name);
 			} else {
 				Utilities.VerifyCsrfCookie(this.csrfCheck.Value);
 			}
@@ -52,7 +52,7 @@ namespace WebFormsRelyingParty.Members {
 			} else {
 				this.verifierMultiView.SetActiveView(this.verificationCodeView);
 				string verifier = ServiceProvider.CreateVerificationCode(consumer.VerificationCodeFormat, consumer.VerificationCodeLength);
-				this.verificationCodeLabel.Text = verifier;
+				this.verificationCodeLabel.Text = HttpUtility.HtmlEncode(verifier);
 				requestToken.VerificationCode = verifier;
 				tokenManager.UpdateToken(requestToken);
 			}