From 6298c898e26e81ccae42f67342de1045fa0b6062 Mon Sep 17 00:00:00 2001
From: AFaust <axel.faust@acosix.org>
Date: Fri, 5 Jun 2020 16:48:17 +0200
Subject: [PATCH] Ensure parameter value is not directly written to response

---
 .../keycloak/share/web/KeycloakAuthenticationFilter.java       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
index bd44d55..9144c91 100644
--- a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
+++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
@@ -74,6 +74,7 @@ import org.springframework.extensions.surf.mvc.PageViewResolver;
 import org.springframework.extensions.surf.site.AuthenticationUtil;
 import org.springframework.extensions.surf.types.Page;
 import org.springframework.extensions.surf.types.PageType;
+import org.springframework.extensions.surf.util.URLEncoder;
 import org.springframework.extensions.webscripts.Description.RequiredAuthentication;
 import org.springframework.extensions.webscripts.Status;
 import org.springframework.extensions.webscripts.connector.ConnectorService;
@@ -998,7 +999,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
                     error = req.getParameter(ERROR_PARAMETER);
                 }
                 final String redirectUrl = req.getContextPath() + "/page?pt=login"
-                        + (error == null ? "" : "&" + ERROR_PARAMETER + "=" + error);
+                        + (error == null ? "" : "&" + ERROR_PARAMETER + "=" + URLEncoder.encode(error));
                 res.sendRedirect(redirectUrl);
             }
         }