From de4a83ce5de80ef2d4fa7d6375a169bb2e90b7c0 Mon Sep 17 00:00:00 2001
From: cj-syed-ali <syed.wajahat.ali@cujo.com>
Date: Thu, 25 Jul 2024 11:23:16 +0300
Subject: [PATCH] Escape error response

This should prevent the possibility of an XSS
attack.
---
 handler.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/handler.go b/handler.go
index ae04b4e..a2403e6 100644
--- a/handler.go
+++ b/handler.go
@@ -16,6 +16,7 @@ package httpsig
 
 import (
 	"fmt"
+	"html"
 	"net/http"
 	"strings"
 )
@@ -43,7 +44,7 @@ func RequireSignature(h http.Handler, v *Verifier, realm string) (
 		if err != nil {
 			w.Header()["WWW-Authenticate"] = []string{challenge}
 			w.WriteHeader(http.StatusUnauthorized)
-			fmt.Fprintln(w, err.Error())
+			fmt.Fprintln(w, html.EscapeString(err.Error()))
 			return
 		}
 		h.ServeHTTP(w, req)