From e5ef5bf6bb4f060178017b2a8e8e29f2c4d43dd8 Mon Sep 17 00:00:00 2001
From: Marios Kranitsas <marioskranitsas1999@gmail.com>
Date: Thu, 20 Oct 2022 12:25:55 +0300
Subject: [PATCH 1/2] Fix Reflected XSS

---
 web-assets/js/setupAuth0WithRedirect.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/web-assets/js/setupAuth0WithRedirect.js b/web-assets/js/setupAuth0WithRedirect.js
index d2ef011..fc96093 100644
--- a/web-assets/js/setupAuth0WithRedirect.js
+++ b/web-assets/js/setupAuth0WithRedirect.js
@@ -639,11 +639,17 @@ const authSetup = function () {
         return hostname;
     }
 
+    function htmlEncode(str){
+        return String(str).replace(/[^\w. ]/gi, function(c){
+          return '&#'+c.charCodeAt(0)+';';
+        });
+      }
+
     function showLoginError(message, linkUrl) {
         try {
             document.getElementById("page-title-heading").innerText = "Alert";
             var messageElement = document.createElement("textarea");
-            messageElement.innerHTML = message;
+            messageElement.innerHTML = htmlEncode(message);
             document.getElementById("loading_message_p").innerHTML = messageElement.value + " <a href=" + linkUrl + ">click here</a>";
         } catch (err) {
             logger("Error in changing loading message: ", err.message)

From a0cf3fa5bc35c52ef121accfb8b4076fa407d167 Mon Sep 17 00:00:00 2001
From: Marios Kranitsas <marioskranitsas1999@gmail.com>
Date: Thu, 20 Oct 2022 15:17:18 +0300
Subject: [PATCH 2/2] Fixes

---
 web-assets/js/setupAuth0WithRedirect.js | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/web-assets/js/setupAuth0WithRedirect.js b/web-assets/js/setupAuth0WithRedirect.js
index fc96093..c1971be 100644
--- a/web-assets/js/setupAuth0WithRedirect.js
+++ b/web-assets/js/setupAuth0WithRedirect.js
@@ -422,7 +422,10 @@ const authSetup = function () {
 
     // XSS rules
     const encode = function(str) {
-        return str.replace(/[\x26\x0A\<>'"]/g,function(str){return"&#"+str.charCodeAt(0)+";"})
+        str = str.replace(/[\x26\x0A\<>'"]/g,function(str){return"&#"+str.charCodeAt(0)+";"})
+        return String(str).replace(/[^\w. ]/gi, function(c){
+            return '&#'+c.charCodeAt(0)+';';
+          });
     }
     // end XSS rules
 
@@ -639,17 +642,11 @@ const authSetup = function () {
         return hostname;
     }
 
-    function htmlEncode(str){
-        return String(str).replace(/[^\w. ]/gi, function(c){
-          return '&#'+c.charCodeAt(0)+';';
-        });
-      }
-
     function showLoginError(message, linkUrl) {
         try {
             document.getElementById("page-title-heading").innerText = "Alert";
             var messageElement = document.createElement("textarea");
-            messageElement.innerHTML = htmlEncode(message);
+            messageElement.innerHTML = message;
             document.getElementById("loading_message_p").innerHTML = messageElement.value + " <a href=" + linkUrl + ">click here</a>";
         } catch (err) {
             logger("Error in changing loading message: ", err.message)