From acc6f3e887719d2d3f5b5f3f402fc4be8bf6a228 Mon Sep 17 00:00:00 2001
From: nano <nanoguo@qq.com>
Date: Fri, 20 Dec 2024 17:11:58 +0800
Subject: [PATCH] feat: escape the avatal URL in CAS response (#3434)

---
 object/token_cas.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/object/token_cas.go b/object/token_cas.go
index 2334e371..1c7892f0 100644
--- a/object/token_cas.go
+++ b/object/token_cas.go
@@ -22,6 +22,7 @@ import (
 	"encoding/xml"
 	"fmt"
 	"math/rand"
+	"strings"
 	"sync"
 	"time"
 
@@ -184,6 +185,15 @@ func StoreCasTokenForProxyTicket(token *CasAuthenticationSuccess, targetService,
 	return proxyTicket
 }
 
+func escapeXMLText(input string) (string, error) {
+	var sb strings.Builder
+	err := xml.EscapeText(&sb, []byte(input))
+	if err != nil {
+		return "", err
+	}
+	return sb.String(), nil
+}
+
 func GenerateCasToken(userId string, service string) (string, error) {
 	user, err := GetUser(userId)
 	if err != nil {
@@ -225,6 +235,11 @@ func GenerateCasToken(userId string, service string) (string, error) {
 		}
 
 		if value != "" {
+			if escapedValue, err := escapeXMLText(value); err != nil {
+				return "", err
+			} else {
+				value = escapedValue
+			}
 			authenticationSuccess.Attributes.UserAttributes.Attributes = append(authenticationSuccess.Attributes.UserAttributes.Attributes, &CasNamedAttribute{
 				Name:  k,
 				Value: value,