-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to set success and error pages for when calling AcquireInt… #490
base: main
Are you sure you want to change the base?
Add option to set success and error pages for when calling AcquireInt… #490
Conversation
@microsoft-github-policy-service agree
… On 12 Jun 2024, at 10:19 PM, microsoft-github-policy-service[bot] ***@***.***> wrote:
@microsoft-github-policy-service agree
|
13b8895
to
20f93ec
Compare
@bgavrilMS @chlowell @rayluo overall, the PR looks good to me, but to confirm, we're OK with arbitrary |
Are there any more changes that you would like me to add to this PR? cc @chlowell you still have a change request on this PR. Has this been resolved for you? |
There are still a few things to address here:
A few options for addressing item 3:
Option 2 looks good to me; @bgavrilMS @localden @rayluo do you have a preference? |
Option 2 sounds reasonable to me - formatting to be documented and interpolation simplified. Thanks for reviewing @chlowell! |
What are those 3 options trying to address? I believe, regardless of whether a default |
I'm not worrying about escaping--maybe I should--but developer confusion and unexpected results. If we (try to) augment an application-provided error page with an error message, we should document that behavior or present the message via some API so developers expect the additional content. |
Great. Now we agree to escape the values that will be rendered on the error page. :-) "Developer confusion and unexpected results" can be avoided by API documentation such as "the error page is treated as a template and its variable $Foo will be interpolated by blah blah". That is an intuitive concept and easily understandable. |
Option 1 already solves my "personal" needs, for displaying end user friendly pages, where technical error codes / descriptions are not understood (unless you are a developer, useful for debugging). Also are the messages multi lingual ? If not then Option 2 might not be an ideal solution for all? Option 3 would allow for error code interpretation; allowing one to suggest a course of action to end users rather than error messages whose audience is more developer orientated. I am not sure how to control the "escaping" as the control falls away (user application space). Perhaps on the return path to the SDK before the server renders the page, the page can be sanitised using something like bluemonday : https://pkg.go.dev/github.com/microcosm-cc/bluemonday ? |
Hi @chlowell thanks for reviewing. Regarding the outstanding list of work: 1: I have added some tests, can you please review. (it's a bit hard to visualise the changes in GitHub) |
I'm not sure what the benefit is to make "a copy of success/error pages that is immutable". Is that an attack vector unique to Go? But to be clear, my "escape/sanitize" suggestion is NOT for the app-provided success/error page. I was referring to the interpolation of error code and error description that already exist and is not fixed by this PR. Technically, you could bypass the "not sure how to escape" issue, by removing that interpolation (even though it is NOT for app-provided error page). But that would risk a regression in the future. I would suggest we escape the error content properly this time. |
I am not sure what the reasoning behind this is, it was suggested by @chlowell to make the |
What you reverted was correct--we should copy all slices provided by an application because slices are reference types. A slice value is a pointer to memory, not the content of that memory. We don't want to share a pointer with the application because the application can modify the data pointed to at any time (for example). |
Thanks @chlowell ... And for the example! I can also confirm (dang GPT), I checked my Go PL Book page 51, and this commit on the Go Spec. (a slice has a pointer to a backing array) |
6169f27
to
213b935
Compare
I have made some more changes, which might not be what's wanted yet? 1: I have used html templates, which is injection safe, and removed the Escape from earlier. https://pkg.go.dev/html/template |
remove the option error page string interpolation.
This reverts commit 6a36074.
Co-authored-by: Charles Lowell <10964656+chlowell@users.noreply.github.com>
using bytes.Equal, eliminating the cast Co-authored-by: Charles Lowell <10964656+chlowell@users.noreply.github.com>
…f the html template variables
….Err template fields
…plication size, instead revert to using html.EscapeString
…test definitions itself
7bc0694
to
5c38a70
Compare
27c44ef
to
f419d6a
Compare
Quality Gate passedIssues Measures |
Add option to set success and error web pages for when using
AcquireTokenInteractive
For example :