update

src/main/java/com/lastpass/saml/SAMLUtils.java

@@ -161,4 +161,29 @@ String replaceHost(String url, String host) {
     }
     return "http://" + host + url.substring(sepCtx);
   }
+
+  public static
+  String escapeHtml(String text)
+  {
+    if(text == null) return "";
+    int iLength = text.length();
+    if(iLength == 0) return "";
+    StringBuffer sb = new StringBuffer(iLength);
+    for(int i = 0; i < iLength; i++) {
+      char c = text.charAt(i);
+      if(c == '<')  sb.append("&lt;");   else
+      if(c == '>')  sb.append("&gt;");   else
+      if(c == '&')  sb.append("&amp;");  else
+      if(c == '"')  sb.append("&quot;"); else
+      if(c == '\'') sb.append("&apos;"); else
+      if(c > 127) {
+        int code = (int) c;
+        sb.append("&#" + code + ";");
+      }
+      else {
+        sb.append(c);
+      }
+    }
+    return sb.toString();
+  }
 }

src/main/java/org/dew/saml/web/WebLogin.java

@@ -14,6 +14,7 @@
 import org.opensaml.saml2.core.AuthnRequest;
 
 import com.lastpass.saml.SAMLIdP;
+import com.lastpass.saml.SAMLUtils;
 
 public
 class WebLogin extends HttpServlet
@@ -49,6 +50,12 @@ void doPost(HttpServletRequest request, HttpServletResponse response)
       return;
     }
 
+    // CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
+    // WASC-8 Cross Site Scripting
+    username    = SAMLUtils.escapeHtml(username);
+    samlRequest = SAMLUtils.escapeHtml(samlRequest);
+    relayState  = SAMLUtils.escapeHtml(relayState);
+
     // TODO: login
 
     SAMLIdP samlIdP = null;

src/main/java/org/dew/saml/web/WebSSO.java

@@ -14,6 +14,7 @@
 import org.opensaml.saml2.core.AuthnRequest;
 
 import com.lastpass.saml.SAMLIdP;
+import com.lastpass.saml.SAMLUtils;
 
 public
 class WebSSO extends HttpServlet
@@ -33,13 +34,18 @@ void doGet(HttpServletRequest request, HttpServletResponse response)
   void doPost(HttpServletRequest request, HttpServletResponse response)
       throws ServletException, IOException
   {
-    String sRelayState     = request.getParameter("RelayState");
+    String relayState      = request.getParameter("RelayState");
     String sB64SAMLRequest = request.getParameter("SAMLRequest");
     if(sB64SAMLRequest == null || sB64SAMLRequest.length() == 0) {
       sendMessage(request, response, "NO SAMLRequest");
       return;
     }
 
+    // CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
+    // WASC-8 Cross Site Scripting
+    sB64SAMLRequest = SAMLUtils.escapeHtml(sB64SAMLRequest);
+    relayState      = SAMLUtils.escapeHtml(relayState);
+
     SAMLIdP samlIdP = null;
     try {
       samlIdP = SAMLIdP.getInstance();
@@ -94,13 +100,13 @@ void doPost(HttpServletRequest request, HttpServletResponse response)
           return;
         }
 
-        if(sRelayState == null || sRelayState.length() == 0) sRelayState = sEntityId;
+        if(relayState == null || relayState.length() == 0) relayState = sEntityId;
 
         response.setContentType("text/html");
         PrintWriter out = response.getWriter();
         if(DEBUG) {
           out.println("<html><body>");
-          out.println("<b>RelayState:</b>: " + sRelayState + " <br>");
+          out.println("<b>RelayState:</b>: " + relayState + " <br>");
           out.println("<b>SAMLResponse:</b>:<br><br>");
           try {
             out.println(samlIdP.checkResponse(samlReponse).replace("<", "&lt;").replace(">", "&gt;"));
@@ -115,7 +121,7 @@ void doPost(HttpServletRequest request, HttpServletResponse response)
           out.println("<html><body onload=\"document.forms[0].submit()\">");
         }
         out.println("<form method=\"POST\" action=\"" + sACS + "\">");
-        out.println("<input type=\"hidden\" name=\"RelayState\" value=\"" + sRelayState + "\">");
+        out.println("<input type=\"hidden\" name=\"RelayState\" value=\"" + relayState + "\">");
         out.println("<input type=\"hidden\" name=\"SAMLResponse\" value=\"" + samlReponse + "\">");
         if(DEBUG) {
           out.println("<input type=\"submit\" value=\"Invia\">");
@@ -132,7 +138,7 @@ void doPost(HttpServletRequest request, HttpServletResponse response)
     out.println("Username:<br><input type=\"text\" name=\"username\"><br>");
     out.println("Password:<br><input type=\"text\" name=\"password\"><br><br>");
     out.println("<input type=\"hidden\" name=\"SAMLRequest\" value=\"" + sB64SAMLRequest + "\">");
-    out.println("<input type=\"hidden\" name=\"RelayState\" value=\"" + sRelayState + "\">");
+    out.println("<input type=\"hidden\" name=\"RelayState\" value=\"" + relayState + "\">");
     out.println("<input type=\"submit\" value=\"Accedi\">");
     out.println("</form>");
     out.println("<hr>");
@@ -145,7 +151,7 @@ void doPost(HttpServletRequest request, HttpServletResponse response)
     out.println("<b>AssertionConsumerServiceURL:</b> " + sACS + "<br>");
     out.println("<b>Request Id:</b> " + sReqId + "<br>");
     out.println("<b>Issuer Id:</b> " + sEntityId + "<br><br>");
-    out.println("<b>RelayState:</b> " + sRelayState + "<br>");
+    out.println("<b>RelayState:</b> " + relayState + "<br>");
     out.println("</body></html>");
   }