Fix RelayState encoding in autoPost (#2671)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/SAML.pm

@@ -3,6 +3,7 @@ package Lemonldap::NG::Portal::Auth::SAML;
 use strict;
 use MIME::Base64 qw/encode_base64/;
 use Mouse;
+use HTML::Entities qw(encode_entities);
 use Lemonldap::NG::Portal::Lib::SAML;
 use Lemonldap::NG::Common::FormEncode;
 use Lemonldap::NG::Portal::Main::Constants qw(
@@ -772,8 +773,11 @@ sub extractFormInfo {
                 $req->postFields( { 'SAMLResponse' => $slo_body } );
 
                 # RelayState
-                $req->postFields->{'RelayState'} = $relaystate
-                  if ($relaystate);
+                if ($relaystate) {
+                    $req->{postFields}->{'RelayState'} =
+                      encode_entities($relaystate);
+                    $req->data->{safeHiddenFormValues}->{RelayState} = 1;
+                }
 
                 # TODO: verify this
                 push @{ $req->steps }, 'autoPost';
@@ -1132,8 +1136,11 @@ sub extractFormInfo {
         }
 
         # RelayState
-        $req->{postFields}->{'RelayState'} = $login->msg_relayState
-          if ( $login->msg_relayState );
+        if ( $login->msg_relayState ) {
+            $req->{postFields}->{'RelayState'} =
+              encode_entities( $login->msg_relayState );
+            $req->data->{safeHiddenFormValues}->{RelayState} = 1;
+        }
 
         # TODO: verify this
         $req->steps( ['autoPost'] );
@@ -1394,8 +1401,11 @@ sub authLogout {
         $req->postFields( { 'SAMLRequest' => $slo_body } );
 
         # RelayState
-        $req->postFields->{'RelayState'} = $logout->msg_relayState
-          if ( $logout->msg_relayState );
+        if ( $logout->msg_relayState ) {
+            $req->{postFields}->{'RelayState'} =
+              encode_entities( $logout->msg_relayState );
+            $req->data->{safeHiddenFormValues}->{RelayState} = 1;
+        }
 
         # Post done in Portal
         $req->steps( [ 'deleteSession', 'autoPost' ] );

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm

@@ -4,6 +4,7 @@ use strict;
 use Mouse;
 use URI;
 use URI::QueryParam;
+use HTML::Entities qw(encode_entities);
 use Lemonldap::NG::Portal::Lib::SAML;
 use Lemonldap::NG::Portal::Main::Constants qw(
   PE_OK
@@ -1048,8 +1049,11 @@ sub run {
                 }
 
                 # RelayState
-                $req->{postFields}->{'RelayState'} = $relaystate
-                  if ($relaystate);
+                if ($relaystate) {
+                    $req->{postFields}->{'RelayState'} =
+                      encode_entities($relaystate);
+                    $req->data->{safeHiddenFormValues}->{RelayState} = 1;
+                }
 
                 $req->steps( ['autoPost'] );
                 return PE_OK;
@@ -1515,9 +1519,15 @@ sub sloRelayPost {
     $self->logger->debug("Found relay session $relayID");
 
     # Get data to build POST form
-    $req->{postUrl}                     = $relayInfos->data->{url};
+    $req->{postUrl} = $relayInfos->data->{url};
     $req->{postFields}->{'SAMLRequest'} = $relayInfos->data->{body};
-    $req->{postFields}->{'RelayState'}  = $relayInfos->data->{relayState};
+
+    # RelayState
+    if ( $relayInfos->data->{relayState} ) {
+        $req->{postFields}->{'RelayState'} =
+          encode_entities( $relayInfos->data->{relayState} );
+        $req->data->{safeHiddenFormValues}->{RelayState} = 1;
+    }
 
     # Delete relay session
     $relayInfos->remove();

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm

@@ -7,7 +7,7 @@ use Lemonldap::NG::Common::Session;
 use Lemonldap::NG::Common::UserAgent;
 use Lemonldap::NG::Common::FormEncode;
 use XML::Simple;
-use HTML::Entities qw(decode_entities);
+use HTML::Entities qw(decode_entities encode_entities);
 use MIME::Base64;
 use HTTP::Request;         # SOAP call
 use POSIX qw(strftime);    # Convert SAML2 date into timestamp
@@ -2556,8 +2556,10 @@ sub sendLogoutResponseToServiceProvider {
         $req->{postFields} = { 'SAMLResponse' => $slo_body };
 
         # RelayState
-        $req->{postFields}->{'RelayState'} = $relaystate
-          if ($relaystate);
+        if ($relaystate) {
+            $req->{postFields}->{'RelayState'} = encode_entities($relaystate);
+            $req->data->{safeHiddenFormValues}->{RelayState} = 1;
+        }
 
         return $self->p->do( $req, ['autoPost'] );
     }

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm

@@ -142,7 +142,7 @@ sub display {
             ASK_LOGINS        => $req->param('checkLogins')   || 0,
             ASK_STAYCONNECTED => $req->param('stayconnected') || 0,
             CONFIRMKEY        => $self->stamp(),
-            LIST => $req->data->{list} || [],
+            LIST              => $req->data->{list}           || [],
             (
                 $req->data->{customScript}
                 ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
@@ -635,7 +635,9 @@ sub buildHiddenForm {
 
         # Check XSS attacks
         next
-          if $self->checkXSSAttack( $_, $req->{portalHiddenFormValues}->{$_} );
+          if (!$req->data->{safeHiddenFormValues}->{$_}
+            && $self->checkXSSAttack( $_, $req->{portalHiddenFormValues}->{$_} )
+          );
 
         # Build hidden input HTML code
         # 'id' is removed to avoid warning with Choice