Merge pull request wso2#8534 from savindi7/improve-input-validations

Improve input validations

Author: savindi7

.changeset/red-moose-jam.md

@@ -0,0 +1,5 @@
+---
+"@wso2is/identity-apps-core": patch
+---
+
+Improve input validations.

identity-apps-core/apps/authentication-portal/src/main/webapp/duoError.jsp

@@ -102,7 +102,7 @@
                     <%
                         if ("true".equals(authenticationFailed)) {
                     %>
-                    <div class="ui negative message" id="failed-msg"><%=errorMessage%></div>
+                    <div class="ui negative message" id="failed-msg"><%= Encode.forHtml(errorMessage) %></div>
                     <% } %>
                 </div>
             </layout:component>

identity-apps-core/apps/recovery-portal/src/main/webapp/password-recovery.jsp

@@ -78,8 +78,11 @@
     if (SMSOTP.equalsIgnoreCase(request.getParameter("selectedOption"))) {
         selectedOption = SMSOTP;
     }
-    String sp = Encode.forJava(request.getParameter("sp"));
-    String spId = Encode.forJava(request.getParameter("spId"));
+    String sp = request.getParameter("sp");
+    String spId = request.getParameter("spId");
+
+    String rawQueryString = request.getQueryString();
+    String urlQuery = Encode.forHtmlAttribute(rawQueryString == null ? "" : rawQueryString);
 
     if (StringUtils.isBlank(tenantDomain)) {
         tenantDomain = IdentityManagementEndpointConstants.SUPER_TENANT;
@@ -101,7 +104,7 @@
     try {
         ApplicationDataRetrievalClient applicationDataRetrievalClient = new ApplicationDataRetrievalClient();
         applicationAccessURLWithoutEncoding = applicationDataRetrievalClient.getApplicationAccessURL(tenantDomain,
-                sp);
+            Encode.forJava(sp));
         applicationAccessURLWithoutEncoding = IdentityManagementEndpointUtil.replaceUserTenantHintPlaceholder(
                                                                 applicationAccessURLWithoutEncoding, userTenantDomain);
     } catch (ApplicationDataRetrievalClientException e) {
@@ -406,9 +409,13 @@
 
                         <input type="hidden" name="recoveryStage" value="INITIATE"/>
                         <input type="hidden" name="channel" value=""/>
-                        <input type="hidden" name="sp" value="<%=sp %>"/>
-                        <input type="hidden" name="spId" value="<%=spId %>"/>
-                        <input type="hidden" name="urlQuery" value="<%=request.getQueryString() %>"/>
+                        <% if (StringUtils.isNotBlank(sp)) { %>
+                            <input type="hidden" name="sp" value="<%=Encode.forHtmlAttribute(sp) %>"/>
+                        <% } %>
+                        <% if (StringUtils.isNotBlank(spId)) { %>
+                            <input type="hidden" name="spId" value="<%=Encode.forHtmlAttribute(spId) %>"/>
+                        <% } %>
+                        <input type="hidden" name="urlQuery" value="<%=urlQuery %>"/>
                         <input type="hidden" name="isMultiRecoveryOptionsAvailable"
                             value="<%=multipleRecoveryOptionsAvailable %>"/>
                         <input type="hidden" name="isEmailOtpBasedPasswordRecoveryEnabledByTenant"

identity-apps-core/apps/recovery-portal/src/main/webapp/password-reset.jsp

@@ -154,7 +154,7 @@
                             <%
                             if (StringUtils.isNotBlank(spId)) {
                             %>
-                            <input id="spId" name="spId" type="hidden" value="<%=spId%>"/>
+                            <input id="spId" name="spId" type="hidden" value="<%=Encode.forHtmlAttribute(spId)%>"/>
                             <%
                             }
                             %>

identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-complete.jsp

@@ -309,7 +309,7 @@
                             String url = "";
                             if (StringUtils.isNotBlank(confirm)) { %>
                                 <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "your.account.with.username")%>
-                                <b><%=resendUsername%></b>
+                                <b><%=Encode.forHtml(resendUsername)%></b>
                                 <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "has.been.verified.successfully")%>
                             <%
                                 if (!StringUtils.isBlank(sp) && sp.equals("My Account")) {
@@ -338,7 +338,11 @@
                             %>
                                 <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "check.your.inbox.at")%>
                                 <b><span id="maskedEmail"></span></b> <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "for.instructions.to.activate.your.account")%>
-                                <script>maskEmail('<%= emailValue %>');</script>
+                                <script>
+                                    <% if (StringUtils.isNotBlank(emailValue)) { %>
+                                        maskEmail('<%= Encode.forJavaScript(emailValue) %>');
+                                    <% } %>                                
+                                </script>
                                 </br></br>
                         <%
                             if (showBackButton && StringUtils.isNotBlank(applicationAccessURLWithoutEncoding)) {