Escape error reason for oauth2 callback in django_util (googleapis#724)

Author: Jon Wayne Parrott

oauth2client/contrib/django_util/views.py

@@ -28,6 +28,7 @@
 from django.conf import settings
 from django.core import urlresolvers
 from django.shortcuts import redirect
+from django.utils import html
 import jsonpickle
 from six.moves.urllib import parse
 
@@ -109,6 +110,7 @@ def oauth2_callback(request):
     if 'error' in request.GET:
         reason = request.GET.get(
             'error_description', request.GET.get('error', ''))
+        reason = html.escape(reason)
         return http.HttpResponseBadRequest(
             'Authorization failed {0}'.format(reason))
 

tests/contrib/django_util/test_views.py

@@ -249,6 +249,15 @@ def test_error_returns_bad_request(self):
         self.assertIsInstance(response, http.HttpResponseBadRequest)
         self.assertIn(b'Authorization failed', response.content)
 
+    def test_error_escapes_html(self):
+        request = self.factory.get('oauth2/oauth2callback', data={
+            'error': '<script>bad</script>',
+        })
+        response = views.oauth2_callback(request)
+        self.assertIsInstance(response, http.HttpResponseBadRequest)
+        self.assertNotIn(b'<script>', response.content)
+        self.assertIn(b'&lt;script&gt;', response.content)
+
     def test_no_session(self):
         request = self.factory.get('oauth2/oauth2callback', data={
             'code': 123,