cordova-plugin-oauth icon indicating copy to clipboard operation
cordova-plugin-oauth copied to clipboard

Published 20 hours ago verified publisher icon AyogoHealth

Single quotes in JSON string cause error

Open kryops opened this issue 1 year ago • 3 comments

Hi there,

If the JSON from the OAuth provider contains single quotes, it causes an error.

Example (with misconfigured Azure AD):

{
    "error": "invalid_client",
    "error_description": "AADSTSXXXX: The application 'MyApplication' asked for scope 'myScope' that doesn't exist on the resource 'xxxx-xxxx-xxxx'. Contact the app vendor.\r\nTrace ID: xxxx-xxxx-xxxx\r\nCorrelation ID: xxxx-xxxx-xxxx\r\nTimestamp: 2023-03-29 06:30:49Z"
}

In the Chrome/Safari dev tools it just shows up as something like Uncaught SyntaxError: Unexpected identifier VM296:1

The cause seems to be that the JSON string is just pasted into the generated JavaScript code without escaping single quotes, which would result in invalid code like this:

window.dispatchEvent(new MessageEvent('message', { data: 'oauth::{"foo":"some 'quoted' content"}' })

It affects both Android and iOS:

  • https://github.com/AyogoHealth/cordova-plugin-oauth/blob/2aa2aad436bd470d62e0758554c9eb8b9b854738/src/android/OAuthPlugin.java#L126
  • https://github.com/AyogoHealth/cordova-plugin-oauth/blob/2aa2aad436bd470d62e0758554c9eb8b9b854738/src/ios/OAuthPlugin.swift#L208

Thanks for looking into it!

kryops avatar Mar 29 '23 06:03 kryops

Thanks for raising this! It seems like it should be a fairly simple fix just escaping single quotes in the message before concatenating the strings.

I was hoping there would be a good way to reproduce this with tests, but the testing situation here is still not quite what I'd like it to be 😞

dpogue avatar Apr 04 '23 06:04 dpogue

I found a suspicious workaround in our code that looks like backslashes should probably be escaped as well. They do not cause errors like single quotes do, but we currently have to escape newlines and tabs in our message handler code because they prevent the message from being parsed as JSON:

const jsonString = message.replace(/\n/g, '\\n').replace(/\r/g, '\\r').replace(/\t/g, '\\t');
const json = JSON.parse(jsonString);

kryops avatar Apr 04 '23 06:04 kryops

I wonder if a simple solution is to use backtick strings instead of single-quote strings... there's a small chance that breaks on really old webviews, but I'm not sure Cordova still works on anything that old.

But maybe that doesn't fix the newlines and other special characters?

dpogue avatar Apr 04 '23 20:04 dpogue