From f9219721a28e59c1a987e22ae3e4e9521a611f37 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Wed, 6 Dec 2017 13:40:31 -0500
Subject: [PATCH] Fix XSS in access token display page

Fixes https://jira.coreos.com/browse/QS-81
---
 templates/generatedtoken.html | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/templates/generatedtoken.html b/templates/generatedtoken.html
index 052a581e0..9e72636e3 100644
--- a/templates/generatedtoken.html
+++ b/templates/generatedtoken.html
@@ -4,23 +4,24 @@
     <link rel="stylesheet" href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css">
     <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap.no-icons.min.css">
     <link href='//fonts.googleapis.com/css?family=Droid+Sans:400,700' rel='stylesheet' type='text/css'>
+    <script type="text/javascript">
+      function setToken() {
+        var hash = document.location.hash.substr(1);
+        var pairs = hash.split('&');
+        for (var i = 0; i < pairs.length; ++i) {
+          var pair = pairs[i];
+          var kv = pair.split('=');
+          if (kv[0] == 'access_token') {
+            document.getElementById('accesstoken').appendChild(document.createTextNode(kv[1]));
+          }
+        }
+      }
+    </script>
   </head>
-  <body>
+  <body onload="setToken()">
     <div class="container" style="margin-top: 20px">
       <img src="/static/img/quay-logo.png">
-      <h5>Access Token:
-        <script type="text/javascript">
-          var hash = document.location.hash.substr(1);
-          var pairs = hash.split('&');
-          for (var i = 0; i < pairs.length; ++i) {
-            var pair = pairs[i];
-            var kv = pair.split('=');
-            if (kv[0] == 'access_token') {
-              document.write(kv[1]);
-            }
-          }
-        </script>
-      </h5>
+      <h5>Access Token: <span id="accesstoken"></span></h5>
     </div>
   </body>
 </html>