Skip to content

Comments

Refactor OpenAPI handling and update samples#296

Merged
RolandGuijt merged 6 commits intomainfrom
roland/miscbff
Feb 11, 2026
Merged

Refactor OpenAPI handling and update samples#296
RolandGuijt merged 6 commits intomainfrom
roland/miscbff

Conversation

@RolandGuijt
Copy link
Contributor

@RolandGuijt RolandGuijt commented Feb 11, 2026

Summary

  • Refactored ProxyingOpenApiDocument for better readability and maintainability.
  • Updated OpenAPI document writer to handle asynchronous JSON serialization.
  • Added inline comments to address potential future compatibility issues with OpenAPI library and .NET 10.
  • Fixed missing reference in the project.
  • Updated tokenexchange sample to ensure functionality.
  • Performed general updates on samples for consistency and compatibility.

roland and others added 6 commits February 10, 2026 15:36
Update samples
9f9d805
Update tokenexchange sample
7d8b8ec
Add missing reference
bb8ec56
@khalidabuhakmeh
Refactor OpenAPI response transformer and document writer
1b0cc14 
Improve readability of `ProxyingOpenApiDocument` logic. Update OpenAPI document writing method to handle JSON serialization asynchronously and add inline comments for future compatibility issues with OpenAPI library and .NET 10.
@Erwinvandervalk
make sample work again
878b4cc
@Erwinvandervalk
cleanup
eecbe47
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 11, 2026
View reviewed changes
BFF/v4/TokenExchange/TokenExchange.IdentityServer/wwwroot/js/signin-redirect.js
@@ -0,0 +1 @@
window.location.href = document.querySelector("meta[http-equiv=refresh]").getAttribute("data-url");

Check failure

Code scanning / CodeQL

DOM text reinterpreted as HTML High

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 14 days ago

In general, to fix this type of problem you should not directly trust text/attributes taken from the DOM when using them in sensitive operations (HTML insertion, script execution, navigation). Instead, sanitize and validate the value, and constrain it to a safe set of destinations (e.g., same-origin paths or a whitelist of allowed hosts). If the value is meant to be a simple path, restrict it to that; if it's a full URL, parse it and enforce origin checks before using it.

For this specific file, the best fix with minimal functional change is:

  1. Read the data-url attribute into a variable.
  2. Parse it using the standard URL constructor to ensure it is syntactically valid and to inspect its origin.
  3. Enforce that the destination is same-origin (or otherwise constrained) before assigning to window.location.href. If it fails validation, do not redirect (or optionally fall back to a safe default like /).

This keeps the existing behavior for legitimate same-origin URLs while preventing navigation to arbitrary attacker-controlled destinations. No external libraries are needed; the built-in URL API is sufficient. All changes are confined to BFF/v4/TokenExchange/TokenExchange.IdentityServer/wwwroot/js/signin-redirect.js line 1, expanding it into a small, explicit redirect routine.

Suggested changeset 1
BFF/v4/TokenExchange/TokenExchange.IdentityServer/wwwroot/js/signin-redirect.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/BFF/v4/TokenExchange/TokenExchange.IdentityServer/wwwroot/js/signin-redirect.js b/BFF/v4/TokenExchange/TokenExchange.IdentityServer/wwwroot/js/signin-redirect.js
--- a/BFF/v4/TokenExchange/TokenExchange.IdentityServer/wwwroot/js/signin-redirect.js
+++ b/BFF/v4/TokenExchange/TokenExchange.IdentityServer/wwwroot/js/signin-redirect.js
@@ -1 +1,24 @@
-window.location.href = document.querySelector("meta[http-equiv=refresh]").getAttribute("data-url");
+(function () {
+    var metaRefresh = document.querySelector("meta[http-equiv=refresh]");
+    if (!metaRefresh) {
+        return;
+    }
+
+    var targetUrl = metaRefresh.getAttribute("data-url");
+    if (!targetUrl) {
+        return;
+    }
+
+    try {
+        // Use URL API to normalize and inspect the target
+        var parsedTarget = new URL(targetUrl, window.location.origin);
+
+        // Only allow redirects to the same origin to avoid open redirects / XSS chains
+        if (parsedTarget.origin === window.location.origin) {
+            window.location.href = parsedTarget.href;
+        }
+    } catch (e) {
+        // If the URL is invalid, do not redirect
+        return;
+    }
+})();
EOF
@@ -1 +1,24 @@
window.location.href = document.querySelector("meta[http-equiv=refresh]").getAttribute("data-url");
(function () {
var metaRefresh = document.querySelector("meta[http-equiv=refresh]");
if (!metaRefresh) {
return;
}

var targetUrl = metaRefresh.getAttribute("data-url");
if (!targetUrl) {
return;
}

try {
// Use URL API to normalize and inspect the target
var parsedTarget = new URL(targetUrl, window.location.origin);

// Only allow redirects to the same origin to avoid open redirects / XSS chains
if (parsedTarget.origin === window.location.origin) {
window.location.href = parsedTarget.href;
}
} catch (e) {
// If the URL is invalid, do not redirect
return;
}
})();
Copilot is powered by AI and may make mistakes. Always verify output.
@RolandGuijt RolandGuijt merged commit c49bce5 into main Feb 11, 2026
2 of 3 checks passed
@RolandGuijt RolandGuijt deleted the roland/miscbff branch February 11, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maartenba maartenba maartenba approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RolandGuijt @maartenba @khalidabuhakmeh @Erwinvandervalk