add escaping on some places

10 files changed, 87 insertions, 44 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
index 17d3d9e50..f2c95f391 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
@@ -33,6 +33,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;
@@ -144,19 +145,19 @@ public class SLOBackChannelServlet extends SLOBasicServlet {
 		
 		} catch (MessageDecodingException | SecurityException | NoSuchAlgorithmException | ConfigurationException | ValidationException e) {
 			log.error("SLO message processing FAILED." , e);			
-			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage()));
 			
 		} catch (CertificateException e) {
 			log.error("SLO message processing FAILED." , e);
-			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage()));
 			
 		} catch (KeyStoreException e) {
 			log.error("SLO message processing FAILED." , e);
-			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage()));
 			
 		} catch (MessageEncodingException e) {
 			log.error("SLO message processing FAILED." , e);
-			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage()));
 			
 		}
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 67611dd72..dcf337213 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -91,7 +91,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		resp.setContentType(MediaType.HTML_UTF_8.toString());
 		resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" +
 				"(Errorcode=9199"
-				+" | Description="+ exception.getMessage() + ")");
+				+" | Description="+ StringEscapeUtils.escapeHtml(exception.getMessage()) + ")");
 		return;
 		
 	}
@@ -318,7 +318,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		if (e instanceof ProtocolNotActiveException) {
 			resp.getWriter().write(e.getMessage());
 			resp.setContentType(MediaType.HTML_UTF_8.toString());
-			resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+			resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml(e.getMessage()));
 		
 		} else if (e instanceof AuthnRequestValidatorException) {
 			AuthnRequestValidatorException ex = (AuthnRequestValidatorException)e;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
index 2976dc420..c8c6c1fb5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.servlet.interceptor;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;
@@ -76,7 +77,7 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor {
 			Logger.info(errorMsg);
 			response.sendError(
 					HttpServletResponse.SC_FORBIDDEN, 
-					errorMsg);
+					StringEscapeUtils.escapeHtml(errorMsg));
 						
 			return false;
 		} else {		
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
index 52c1f0f97..d57834192 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
@@ -70,7 +70,8 @@ public abstract class AbstractGUIFormBuilderConfiguration implements IGUIBuilder
 	
 	
 	/**
-	 * Define the parameters, which should be evaluated in the template
+	 * Define the parameters, which should be evaluated in the template <br>
+	 * <b>IMPORTANT:</b> external HTML escapetion is required, because it is NOT done internally during the building process
 	 * 
 	 * @return Map of parameters, which should be added to template
 	 */
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
index 15bc92a54..ad068ac49 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
@@ -65,6 +65,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
 	
 	protected IRequest pendingReq = null;
 	protected String templateClasspahtDir = null;
+	private  Map<String, Object> customParameters = null;
 	
 	/**
 	 * @param authURL PublicURLPrefix of the IDP but never null
@@ -91,11 +92,29 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
 		
 	}
 
+	/**
+	 * Add a key/value pair into Velocity context.<br>
+	 * Parameter values get escaped internally
+	 * 
+	 * @param key velocity context key
+	 * @param value of this key
+	 */
+	public void putCustomParameter(String key, Object value) {
+		if (customParameters == null)
+			customParameters = new HashMap<String, Object>();
+		
+		if (value instanceof String)
+			customParameters.put(key, StringEscapeUtils.escapeHtml((String)value));
+		else
+			customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString()));
+		
+	}
+	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters()
 	 */
 	@Override
-	public Map<String, Object> getSpecificViewParameters() {
+	public final Map<String, Object> getSpecificViewParameters() {
 		Map<String, Object> params =  new HashMap<String, Object>();
 		params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU);
 		params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU);
@@ -107,7 +126,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
 			//add service-provider specific GUI parameters
 			IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 			if (oaParam != null) {
-				params.put(PARAM_OANAME, oaParam.getFriendlyName());
+				params.put(PARAM_OANAME, StringEscapeUtils.escapeHtml(oaParam.getFriendlyName()));
 
 				//set BKU URLs
 				if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU)))
@@ -138,6 +157,10 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
 			
 		}
 
+		//add additional custom parameters
+		if (customParameters != null)
+			params.putAll(customParameters);
+		
 		return params;
 	}
 	
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
index 0c07ad3fb..901dbae53 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
@@ -77,13 +77,31 @@ public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderCo
 	 * @param key velocity context key
 	 * @param value of this key
 	 */
-	public void putCustomParameter(String key, Object value) {
+	public void putCustomParameterWithOutEscaption(String key, Object value) {
 		if (customParameters == null)
 			customParameters = new HashMap<String, Object>();
 		
 		customParameters.put(key, value);
 	}
 	
+	/**
+	 * Add a key/value pair into Velocity context.<br>
+	 * All parameters get escaped internally
+	 * 
+	 * @param key velocity context key
+	 * @param value of this key
+	 */
+	public void putCustomParameter(String key, Object value) {
+		if (customParameters == null)
+			customParameters = new HashMap<String, Object>();
+		
+		if (value instanceof String)
+			customParameters.put(key, StringEscapeUtils.escapeHtml((String)value));
+		else
+			customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString()));
+		
+	}
+	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters()
 	 */
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
index 13d8d3bb7..0215afc41 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
@@ -56,7 +56,7 @@ public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractService
 		super(pendingReq, viewName, formSubmitEndpoint);
 		
 	}
-
+	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
 	 */
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
index 261e19a33..f54484307 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
@@ -9,7 +9,6 @@
 	bkuport = (bkuprot == "https:" ? 3496 : 3495);
 	bkupath = "https-security-layer-request";
 	bkuurl = bkuprot + "//" + bkuhost + ":" + bkuport + "/" + bkupath;
-	baseurl = location.href.substr(0, location.href.lastIndexOf("/"));
 //-->
 </script>
 </head>
@@ -20,7 +19,7 @@
 		parent.setBKUAvailable(false);
 		document.write('<form name="bkudetectform" method="POST" target="bkudetect" action="' + bkuurl + '" enctype="application/x-www-form-urlencoded">');
 		document.write('<input type="hidden" name="XMLRequest" value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;NullOperationRequest xmlns=&quot;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&quot;/&gt;" />');
-		document.write('<input type="hidden" name="RedirectURL" value="' + baseurl + '/iframeLBKUdetected.html"/>');
+		document.write('<input type="hidden" name="RedirectURL" value="' + $contextPath + '/iframeLBKUdetected.html"/>');
 		document.write('</form>');
 		try {
 			document.bkudetectform.submit();
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index a37beac70..dc55df05b 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -160,15 +160,15 @@ public class SSOTransferServlet{
 
 		} catch (MOAIDException | MOADatabaseException e) {
 			e.printStackTrace();
-			resp.sendError(500, e.getMessage());
+			resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
 
 		} catch (NoSuchAlgorithmException | InvalidParameterSpecException e) {
 			e.printStackTrace();
-			resp.sendError(500, e.getMessage());
+			resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
 
 		} catch (Exception e) {
 			e.printStackTrace();
-			resp.sendError(500, e.getMessage());
+			resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
 		}							
 	}
 
@@ -221,51 +221,51 @@ public class SSOTransferServlet{
 				
 			} catch (OperatorCreationException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (CredentialsNotAvailableException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (PKCSException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (CertificateException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (InvalidKeyException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (NoSuchAlgorithmException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (InvalidKeySpecException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (SessionDataStorageException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (ParseException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (IllegalBlockSizeException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (BadPaddingException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (NoSuchPaddingException e) {
 				Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e);
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			}
 							
@@ -323,50 +323,50 @@ public class SSOTransferServlet{
 			} catch (OperatorCreationException e) {
 				// TODO Auto-generated catch block
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (CredentialsNotAvailableException e) {
 				// TODO Auto-generated catch block
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (PKCSException e) {
 				// TODO Auto-generated catch block
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (CertificateException e) {
 				// TODO Auto-generated catch block
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (InvalidKeyException e) {
 				// TODO Auto-generated catch block
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (NoSuchAlgorithmException e) {
 				// TODO Auto-generated catch block
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (InvalidKeySpecException e) {
 				// TODO Auto-generated catch block
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 				
 			} catch (SessionDataStorageException e) {
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 			} catch (IllegalBlockSizeException e) {
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 			} catch (BadPaddingException e) {
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 			} catch (NoSuchPaddingException e) {
 				e.printStackTrace();
-				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+				resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage()));
 			}
 			
 			
@@ -423,15 +423,15 @@ public class SSOTransferServlet{
 			
 		} catch (MOAIDException | MOADatabaseException e) {
 			e.printStackTrace();
-			resp.sendError(500, e.getMessage());
+			resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
 		
 		} catch (NoSuchAlgorithmException | InvalidParameterSpecException e) {
 			e.printStackTrace();
-			resp.sendError(500, e.getMessage());
+			resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
 			
 		} catch (Exception e) {
 			e.printStackTrace();
-			resp.sendError(500, e.getMessage());
+			resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage()));
 		}							
 	}
 	
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
index 13a278d1d..fe164c514 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java
@@ -105,7 +105,7 @@ public class GUIUtils {
 			
 			config.putCustomParameter("QRImage", base64EncodedImage);		
 			config.putCustomParameter("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process.");			
-			config.putCustomParameter("timeoutURL", containerURL);
+			config.putCustomParameterWithOutEscaption("timeoutURL", containerURL);
 			config.putCustomParameter("timeout", REFESH_TIMEOUT);
 				
 			guiBuilder.build(response, config, "SSO-Transfer-Module");