Merge pull request #7646 from AnjanaSamindraPerera/cookie-issue

Encode spId parameter
wso2 · Feb 18, 2025 · 91ec588 · 91ec588
2 parents ac67e72 + d4db891
commit 91ec588
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 3 deletions.
diff --git a/.changeset/three-cups-repeat.md b/.changeset/three-cups-repeat.md
@@ -0,0 +1,5 @@
+---
+"@wso2is/identity-apps-core": patch
+---
+
+Encode spId of application
diff --git a/identity-apps-core/apps/recovery-portal/src/main/webapp/password-recovery-otp.jsp b/identity-apps-core/apps/recovery-portal/src/main/webapp/password-recovery-otp.jsp
@@ -46,6 +46,7 @@
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.PreferenceRetrievalClient" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.PreferenceRetrievalClientException" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementEndpointConstants" %>
+<%@ page import="org.owasp.encoder.Encode" %>
 
 <%-- Include tenant context --%>
 <%@ include file="tenant-resolve.jsp"%>
@@ -303,7 +304,8 @@
             request.getRequestDispatcher("sms-otp.jsp").forward(request, response);
             return;
         }
-        request.setAttribute("spId", request.getParameter("spId"));
+        String spId = Encode.forJava(request.getParameter("spId"));
+        request.setAttribute("spId", spId);
         request.getRequestDispatcher("password-reset.jsp").forward(request, response);
     } else if (RecoveryStage.RESET.equalsValue(recoveryStage)) {
         request.setAttribute("useRecoveryV2API", "true");

diff --git a/identity-apps-core/apps/recovery-portal/src/main/webapp/password-reset-complete.jsp b/identity-apps-core/apps/recovery-portal/src/main/webapp/password-reset-complete.jsp
@@ -80,7 +80,7 @@
             IdentityManagementEndpointUtil.getStringValue(request.getSession().getAttribute("confirmationKey"));
     String newPassword = request.getParameter("reset-password");
     String callback = request.getParameter("callback");
-    String spId = request.getParameter("spId");
+    String spId = Encode.forJava(request.getParameter("spId"));
     if (StringUtils.isBlank(spId)) {
         spId = (String)request.getAttribute("spId");
     }

diff --git a/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-complete.jsp b/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-complete.jsp
@@ -82,7 +82,7 @@
     String confirmLiteReg = (String) request.getAttribute("confirmLiteReg");
     String resendUsername = request.getParameter("username");
     String sp = Encode.forJava(request.getParameter("sp"));
-    String spId = request.getParameter("spId");
+    String spId = Encode.forJava(request.getParameter("spId"));
     String sessionDataKey = (String) request.getAttribute("sessionDataKey");
     String applicationAccessURLWithoutEncoding = null;
     String tenantedMyaccountURL = null;