From 71388dd6fa0f034e3a55746261d8ea5fef8cb809 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Dominique=20Ngu=C3=A9l=C3=A9?= <contact@iamnguele.com>
Date: Mon, 30 Mar 2020 21:12:11 +0100
Subject: [PATCH] Different approach to sanitize userInfoJson

---
 .../src/main/webapp/WEB-INF/tags/header.tag      | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag b/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
index ce8c64f160..97dda8b7c5 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
@@ -52,10 +52,24 @@
     	function setPageTitle(title) {
     		document.title = "${config.topbarTitle} - " + title;
     	}
+
+        function cleanObject(obj) {
+            if (obj === String(obj)) {
+                return obj.replace(/<.+>/, '');
+            }
+
+            if (obj instanceof Object) {
+                Object.keys(obj).map(function(key, index) {
+                    obj[key] = cleanObject(obj[key]);
+                });
+            }
+            
+            return obj;
+        }
     	
 		// get the info of the current user, if available (null otherwise)
     	function getUserInfo() {
-    		return ${fn:escapeXml(userInfoJson)};
+    		return cleanObject(${userInfoJson});
     	}
 		
 		// get the authorities of the current user, if available (null otherwise)