aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 12:11:45 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:45:21 +0100
commit366c463274f3ca06d500c59c0839feb225b4e0b5 (patch)
tree8130bfea98bf99a36f172f4aa89c8a1ff843c52d /id/server
parent868d6e587cb262683a658fdbd56bb752913638b4 (diff)
downloadmoa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.gz
moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.bz2
moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.zip
add escaping on some places
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java3
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java3
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java27
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java20
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java2
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html3
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java58
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java2
9 files changed, 82 insertions, 40 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 67611dd72..dcf337213 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -91,7 +91,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
resp.setContentType(MediaType.HTML_UTF_8.toString());
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" +
"(Errorcode=9199"
- +" | Description="+ exception.getMessage() + ")");
+ +" | Description="+ StringEscapeUtils.escapeHtml(exception.getMessage()) + ")");
return;
}
@@ -318,7 +318,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
if (e instanceof ProtocolNotActiveException) {
resp.getWriter().write(e.getMessage());
resp.setContentType(MediaType.HTML_UTF_8.toString());
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml(e.getMessage()));
} else if (e instanceof AuthnRequestValidatorException) {
AuthnRequestValidatorException ex = (AuthnRequestValidatorException)e;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
index 2976dc420..c8c6c1fb5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.servlet.interceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
@@ -76,7 +77,7 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor {
Logger.info(errorMsg);
response.sendError(
HttpServletResponse.SC_FORBIDDEN,
- errorMsg);
+ StringEscapeUtils.escapeHtml(errorMsg));
return false;
} else {
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
index 52c1f0f97..d57834192 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
@@ -70,7 +70,8 @@ public abstract class AbstractGUIFormBuilderConfiguration implements IGUIBuilder
/**
- * Define the parameters, which should be evaluated in the template
+ * Define the parameters, which should be evaluated in the template <br>
+ * <b>IMPORTANT:</b> external HTML escapetion is required, because it is NOT done internally during the building process
*
* @return Map of parameters, which should be added to template
*/
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
index 15bc92a54..ad068ac49 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
@@ -65,6 +65,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
protected IRequest pendingReq = null;
protected String templateClasspahtDir = null;
+ private Map<String, Object> customParameters = null;
/**
* @param authURL PublicURLPrefix of the IDP but never null
@@ -91,11 +92,29 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
}
+ /**
+ * Add a key/value pair into Velocity context.<br>
+ * Parameter values get escaped internally
+ *
+ * @param key velocity context key
+ * @param value of this key
+ */
+ public void putCustomParameter(String key, Object value) {
+ if (customParameters == null)
+ customParameters = new HashMap<String, Object>();
+
+ if (value instanceof String)
+ customParameters.put(key, StringEscapeUtils.escapeHtml((String)value));
+ else
+ customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString()));
+
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters()
*/
@Override
- public Map<String, Object> getSpecificViewParameters() {
+ public final Map<String, Object> getSpecificViewParameters() {
Map<String, Object> params = new HashMap<String, Object>();
params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU);
params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU);
@@ -107,7 +126,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
//add service-provider specific GUI parameters
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
if (oaParam != null) {
- params.put(PARAM_OANAME, oaParam.getFriendlyName());
+ params.put(PARAM_OANAME, StringEscapeUtils.escapeHtml(oaParam.getFriendlyName()));
//set BKU URLs
if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU)))
@@ -138,6 +157,10 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
}
+ //add additional custom parameters
+ if (customParameters != null)
+ params.putAll(customParameters);
+
return params;
}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
index 0c07ad3fb..901dbae53 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
@@ -77,13 +77,31 @@ public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderCo
* @param key velocity context key
* @param value of this key
*/
- public void putCustomParameter(String key, Object value) {
+ public void putCustomParameterWithOutEscaption(String key, Object value) {
if (customParameters == null)
customParameters = new HashMap<String, Object>();
customParameters.put(key, value);
}
+ /**
+ * Add a key/value pair into Velocity context.<br>
+ * All parameters get escaped internally
+ *
+ * @param key velocity context key
+ * @param value of this key
+ */
+ public void putCustomParameter(String key, Object value) {
+ if (customParameters == null)
+ customParameters = new HashMap<String, Object>();
+
+ if (value instanceof String)
+ customParameters.put(key, StringEscapeUtils.escapeHtml((String)value));
+ else
+ customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString()));
+
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters()
*/
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
index 13d8d3bb7..0215afc41 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
@@ -56,7 +56,7 @@ public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractService
super(pendingReq, viewName, formSubmitEndpoint);
}
-
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
*/
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
index 261e19a33..f54484307 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
@@ -9,7 +9,6 @@
bkuport = (bkuprot == "https:" ? 3496 : 3495);
bkupath = "https-security-layer-request";
bkuurl = bkuprot + "//" + bkuhost + ":" + bkuport + "/" + bkupath;
- baseurl = location.href.substr(0, location.href.lastIndexOf("/"));
//-->
</script>
</head>
@@ -20,7 +19,7 @@
parent.setBKUAvailable(false);
document.write('<form name="bkudetectform" method="POST" target="bkudetect" action="' + bkuurl + '" enctype="application/x-www-form-urlencoded">');
document.write('<input type="hidden" name="XMLRequest" value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;NullOperationRequest xmlns=&quot;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&quot;/&gt;" />');
- document.write('<input type="hidden" name="RedirectURL" value="' + baseurl + '/iframeLBKUdetected.html"/>');
+ document.write('<input type="hidden" name="RedirectURL" value="' + $contextPath + '/iframeLBKUdetected.html"/>');
document.write('</form>');
try {
document.bkudetectform.submit();
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index a37beac70..dc55df05b 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -160,15 +160,15 @@ public class SSOTransferServlet{
} catch (MOAIDException | MOADatabaseException e) {
e.printStackTrace();
- resp.sendError(500, e.getMessage());
+ resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (NoSuchAlgorithmException | InvalidParameterSpecException e) {
e.printStackTrace();
- resp.sendError(500, e.getMessage());
+ resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (Exception e) {
e.printStackTrace();
- resp.sendError(500, e.getMessage());
+ resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
}
}
@@ -221,51 +221,51 @@ public class SSOTransferServlet{
} catch (OperatorCreationException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (CredentialsNotAvailableException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (PKCSException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (CertificateException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (InvalidKeyException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (NoSuchAlgorithmException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (InvalidKeySpecException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (SessionDataStorageException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (ParseException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (IllegalBlockSizeException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (BadPaddingException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (NoSuchPaddingException e) {
Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
}
@@ -323,50 +323,50 @@ public class SSOTransferServlet{
} catch (OperatorCreationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (CredentialsNotAvailableException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (PKCSException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (InvalidKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (InvalidKeySpecException e) {
// TODO Auto-generated catch block
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (SessionDataStorageException e) {
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (IllegalBlockSizeException e) {
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (BadPaddingException e) {
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (NoSuchPaddingException e) {
e.printStackTrace();
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
}
@@ -423,15 +423,15 @@ public class SSOTransferServlet{
} catch (MOAIDException | MOADatabaseException e) {
e.printStackTrace();
- resp.sendError(500, e.getMessage());
+ resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (NoSuchAlgorithmException | InvalidParameterSpecException e) {
e.printStackTrace();
- resp.sendError(500, e.getMessage());
+ resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
} catch (Exception e) {
e.printStackTrace();
- resp.sendError(500, e.getMessage());
+ resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
}
}
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
index 13a278d1d..fe164c514 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
@@ -105,7 +105,7 @@ public class GUIUtils {
config.putCustomParameter("QRImage", base64EncodedImage);
config.putCustomParameter("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process.");
- config.putCustomParameter("timeoutURL", containerURL);
+ config.putCustomParameterWithOutEscaption("timeoutURL", containerURL);
config.putCustomParameter("timeout", REFESH_TIMEOUT);
guiBuilder.build(response, config, "SSO-Transfer-Module");