From e98bdf2b39ecb9100e64c8077752ed7c4ed883b3 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 24 Mar 2015 12:18:49 +0100 Subject: escaped attribute values for saml1 responses --- .../gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index ea1526ff0..3809ec4bc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -39,6 +39,7 @@ import javax.xml.transform.TransformerFactoryConfigurationError; import javax.xml.transform.stream.StreamSource; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -286,6 +287,12 @@ public class STORKResponseProcessor { Object attributeValue = attribute.getValue(); if (null == attributeValue) attributeValue = attribute.getComplexValue(); + + // escape attributeValue + attributeValue = StringEscapeUtils.escapeXml10(attributeValue.toString()); + // and remove trailing and tailing brackets. Might break something but we never saw an array with more than one entry! + attributeValue = ((String) attributeValue).substring(1, ((String) attributeValue).length() - 1); + ExtendedSAMLAttribute extendedSAMLAttribute = new ExtendedSAMLAttributeImpl(attribute.getName(), attributeValue, Constants.STORK_NS_URI, 0); moaExtendedSAMLAttributeList.add(extendedSAMLAttribute); -- cgit v1.2.3