escaped attribute values for saml1 responses

1 files changed, 7 insertions, 0 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
index ea1526ff0..3809ec4bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -39,6 +39,7 @@ import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.stream.StreamSource;

 

 import org.apache.commons.io.IOUtils;

+import org.apache.commons.lang3.StringEscapeUtils;

 

 import at.gv.egovernment.moa.id.auth.AuthenticationServer;

 import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;

@@ -286,6 +287,12 @@ public class STORKResponseProcessor {
 			Object attributeValue = attribute.getValue();

 			if (null == attributeValue)

 				attributeValue = attribute.getComplexValue();

+

+			// escape attributeValue

+			attributeValue = StringEscapeUtils.escapeXml10(attributeValue.toString());

+			// and remove trailing and tailing brackets. Might break something but we never saw an array with more than one entry!

+			attributeValue = ((String) attributeValue).substring(1, ((String) attributeValue).length() - 1);

+

 			ExtendedSAMLAttribute extendedSAMLAttribute = 

 				new ExtendedSAMLAttributeImpl(attribute.getName(), attributeValue, Constants.STORK_NS_URI, 0);

 			moaExtendedSAMLAttributeList.add(extendedSAMLAttribute);