From dad95a3ca050910d44ff346edead722e341417ef Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Fri, 25 Jun 2021 11:42:57 +0200
Subject: [PATCH 2/3] avoid XSS vulnerability when using OIDCPreservePost On

and supplying URLs that contain single quotes; thanks @oss-aimoto

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
---
 ChangeLog              | 4 ++++
 src/mod_auth_openidc.c | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b4ab0a1..7054f0b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+06/25/2021
+- avoid XSS vulnerability when using OIDCPreservePost On and supplying URLs that contain single quotes
+  thanks @oss-aimoto
+
 06/10/2021
 - use encrypted JWTs for storing encrypted cache contents and avoid using static AAD/IV; thanks @niebardzo
 - bump to 2.4.9-dev
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 4cc7976..ea84e5e 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -519,7 +519,7 @@ static int oidc_request_post_preserved_restore(request_rec *r,
 					"          input.type = \"hidden\";\n"
 					"          document.forms[0].appendChild(input);\n"
 					"        }\n"
-					"        document.forms[0].action = '%s';\n"
+					"        document.forms[0].action = \"%s\";\n"
 					"        document.forms[0].submit();\n"
 					"      }\n"
 					"    </script>\n", method, original_url);
-- 
2.27.0