Improve the default OAuth page content renderer not to embed external…

… parameters as-is (#1352)

docs-src/oauth/index.rst

@@ -34,6 +34,7 @@ The code snippet below demonstrates how to build it using `Flask <https://flask.
 .. code-block:: python
 
     import os
+    import html
     from slack_sdk.oauth import AuthorizeUrlGenerator
     from slack_sdk.oauth.installation_store import FileInstallationStore, Installation
     from slack_sdk.oauth.state_store import FileOAuthStateStore
@@ -59,7 +60,7 @@ The code snippet below demonstrates how to build it using `Flask <https://flask.
         state = state_store.issue()
         # https://slack.com/oauth/v2/authorize?state=(generated value)&client_id={client_id}&scope=app_mentions:read,chat:write&user_scope=search:read
         url = authorize_url_generator.generate(state)
-        return f'<a href="{url}">' \
+        return f'<a href="{html.escape(url)}">' \
                f'<img alt=""Add to Slack"" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" /></a>'
 
 When accessing ``https://(your domain)/slack/install``, you will see "Add to Slack" button in the webpage. You can start the app's installation flow by clicking the button.
@@ -90,13 +91,11 @@ The redirection gives you a ``code`` parameter. You can exchange the value for a
                     redirect_uri=redirect_uri,
                     code=request.args["code"]
                 )
-
-                installed_enterprise = oauth_response.get("enterprise", {})
+                installed_enterprise = oauth_response.get("enterprise") or {}
                 is_enterprise_install = oauth_response.get("is_enterprise_install")
-                installed_team = oauth_response.get("team", {})
-                installer = oauth_response.get("authed_user", {})
-                incoming_webhook = oauth_response.get("incoming_webhook", {})
-
+                installed_team = oauth_response.get("team") or {}
+                installer = oauth_response.get("authed_user") or {}
+                incoming_webhook = oauth_response.get("incoming_webhook") or {}
                 bot_token = oauth_response.get("access_token")
                 # NOTE: oauth.v2.access doesn't include bot_id in response
                 bot_id = None
@@ -137,7 +136,7 @@ The redirection gives you a ``code`` parameter. You can exchange the value for a
                 return make_response(f"Try the installation again (the state value is already expired)", 400)
 
         error = request.args["error"] if "error" in request.args else ""
-        return make_response(f"Something is wrong with the installation (error: {error})", 400)
+        return make_response(f"Something is wrong with the installation (error: {html.escape(error)})", 400)
 
 Token Lookup
 *************************************************

integration_tests/samples/oauth/oauth_v2.py

@@ -1,6 +1,7 @@
 # ---------------------
 # Flask App for Slack OAuth flow
 # ---------------------
+import html
 
 # pip3 install flask
 from flask import Flask, request, make_response
@@ -41,7 +42,7 @@ def oauth_start():
     state = state_store.issue()
     url = authorization_url_generator.generate(state)
     return (
-        f'<a href="{url}">'
+        f'<a href="{html.escape(url)}">'
         f'<img alt=""Add to Slack"" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" /></a>'
     )
 
@@ -57,11 +58,11 @@ def oauth_callback():
             oauth_response = client.oauth_v2_access(client_id=client_id, client_secret=client_secret, code=code)
             logger.info(f"oauth.v2.access response: {oauth_response}")
 
-            installed_enterprise = oauth_response.get("enterprise", {})
+            installed_enterprise = oauth_response.get("enterprise") or {}
             is_enterprise_install = oauth_response.get("is_enterprise_install")
-            installed_team = oauth_response.get("team", {})
-            installer = oauth_response.get("authed_user", {})
-            incoming_webhook = oauth_response.get("incoming_webhook", {})
+            installed_team = oauth_response.get("team") or {}
+            installer = oauth_response.get("authed_user") or {}
+            incoming_webhook = oauth_response.get("incoming_webhook") or {}
 
             bot_token = oauth_response.get("access_token")
             # NOTE: oauth.v2.access doesn't include bot_id in response
@@ -105,7 +106,7 @@ def oauth_callback():
             return redirect_page_renderer.render_failure_page("the state value is already expired")
 
     error = request.args["error"] if "error" in request.args else ""
-    return make_response(f"Something is wrong with the installation (error: {error})", 400)
+    return redirect_page_renderer.render_failure_page(error)
 
 
 # ---------------------

integration_tests/samples/oauth/oauth_v2_async.py

@@ -1,7 +1,7 @@
 # ---------------------
 # Sanic App for Slack OAuth flow
 # ---------------------
-
+import html
 import logging
 import os
 from slack_sdk.web.async_client import AsyncWebClient
@@ -44,7 +44,7 @@ async def oauth_start(req: Request):
     url = authorization_url_generator.generate(state)
     return HTTPResponse(
         status=200,
-        body=f'<a href="{url}">'
+        body=f'<a href="{html.escape(url)}">'
         f'<img alt=""Add to Slack"" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" /></a>',
     )
 
@@ -61,6 +61,7 @@ async def oauth_callback(req: Request):
             logger.info(f"oauth.v2.access response: {oauth_response}")
 
             installed_enterprise = oauth_response.get("enterprise") or {}
+            is_enterprise_install = oauth_response.get("is_enterprise_install")
             installed_team = oauth_response.get("team") or {}
             installer = oauth_response.get("authed_user") or {}
             incoming_webhook = oauth_response.get("incoming_webhook") or {}
@@ -85,6 +86,8 @@ async def oauth_callback(req: Request):
                 incoming_webhook_url=incoming_webhook.get("url"),
                 incoming_webhook_channel_id=incoming_webhook.get("channel_id"),
                 incoming_webhook_configuration_url=incoming_webhook.get("configuration_url"),
+                is_enterprise_install=is_enterprise_install,
+                token_type=oauth_response.get("token_type"),
             )
             installation_store.save(installation)
             html = redirect_page_renderer.render_success_page(
@@ -111,7 +114,11 @@ async def oauth_callback(req: Request):
             )
 
     error = req.args.get("error") if "error" in req.args else ""
-    return HTTPResponse(status=400, body=f"Something is wrong with the installation (error: {error})")
+    return HTTPResponse(
+        status=400,
+        headers={"Content-Type": "text/html; charset=utf-8"},
+        body=redirect_page_renderer.render_failure_page(error),
+    )
 
 
 # ---------------------

integration_tests/samples/openid_connect/flask_example.py

@@ -91,7 +91,7 @@ def oauth_callback():
             return redirect_page_renderer.render_failure_page("The state value is already expired")
 
     error = request.args["error"] if "error" in request.args else ""
-    return make_response(f"Something is wrong with the installation (error: {error})", 400)
+    return redirect_page_renderer.render_failure_page(error)
 
 
 if __name__ == "__main__":