Escape username parameter (#901)

DharshanBJ · web-flow · commit 67136fe2115b · 2026-04-10T10:47:02.000-07:00
* Escape username to protect against xml injection vulnerability

* Add test
diff --git a/msal/wstrust_request.py b/msal/wstrust_request.py
@@ -60,8 +60,8 @@ def send_request(
     return parse_response(resp.text)
 
 
-def escape_password(password):
-    return (password.replace('&', '&amp;').replace('"', '&quot;')
+def escape_xml(s):
+    return (s.replace('&', '&amp;').replace('"', '&quot;')
         .replace("'", '&apos;')  # the only one not provided by cgi.escape(s, True)
         .replace('<', '&lt;').replace('>', '&gt;'))
 
@@ -116,7 +116,7 @@ def _build_rst(username, password, cloud_audience_urn, endpoint_address, soap_ac
             endpoint_address=endpoint_address,
             time_now=wsu_time_format(now),
             time_expire=wsu_time_format(now + timedelta(minutes=10)),
-            username=username, password=escape_password(password),
+            username=escape_xml(username), password=escape_xml(password),
             wst=Mex.NS["wst"] if soap_action == Mex.ACTION_13 else Mex.NS["wst2005"],
             applies_to=cloud_audience_urn,
             key_type='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer'
diff --git a/tests/test_wstrust.py b/tests/test_wstrust.py
@@ -31,6 +31,7 @@
     from xml.etree import ElementTree as ET
 import os
 
+from msal.wstrust_request import _build_rst, escape_xml
 from msal.wstrust_response import *
 
 from tests import unittest
@@ -96,3 +97,16 @@ def test_token_parsing_happy_path(self):
         self.assertEqual(result.get("type"), SAML_TOKEN_TYPE_V1)
         self.assertIn(b"<saml:Assertion", result.get("token", ""))
 
+
+class Test_WsTrustRequest(unittest.TestCase):
+
+    def test_escape_xml(self):
+        self.assertEqual(escape_xml('<>&"\''), '&lt;&gt;&amp;&quot;&apos;')
+
+    def test_username_xml_injection_is_prevented(self):
+        malicious = 'admin</wsse:Username><x>INJECTED'
+        rst = _build_rst(malicious, 'pw', 'urn:x', 'https://x',
+            'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue')
+        self.assertEqual(rst.count('<wsse:Username>'), 1)
+        self.assertNotIn('<x>INJECTED', rst)
+
