Don't parse html with xml parser, and instead get the data we need di…

…rectly from pysaml2.
IdentityPython · knaperek · Apr 13, 2017 · Apr 11, 2017 · Apr 11, 2017 · Apr 11, 2017
commit b60149cb08e0f2513b95c941cc96837dfbcda9e9
diff --git a/djangosaml2/utils.py b/djangosaml2/utils.py
@@ -46,21 +46,3 @@ def get_location(http_info):
     header_name, header_value = headers[0]
     assert header_name == 'Location'
     return header_value
-
-
-def get_hidden_form_inputs(html):
-    """ Extracts name/value pairs from hidden input tags in an html form."""
-    pairs = dict()
-    tree = ElementTree.fromstring(html.replace('&', '&amp;'), forbid_dtd=True)
-    # python 2.6 doesn't have iter
-    if hasattr(tree, 'iter'):
-        node_iter = tree.iter()
-    else:
-        node_iter = tree.getiterator()
-    for node in node_iter:
-        if node.tag == 'input':
-            element = dict(node.items())
-            if element['type'] == 'hidden':
-                pairs[element['name']] = element['value']
-    return pairs
-
diff --git a/djangosaml2/views.py b/djangosaml2/views.py
@@ -13,14 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import base64
 import logging
 
 try:
     from xml.etree import ElementTree
 except ImportError:
     from elementtree import ElementTree
-from defusedxml.common import (DTDForbidden, EntitiesForbidden,
-                               ExternalReferenceForbidden)
 
 from django.conf import settings
 from django.contrib import auth
@@ -54,8 +53,7 @@ def csrf_exempt(view_func):
 from djangosaml2.cache import StateCache
 from djangosaml2.conf import get_config
 from djangosaml2.signals import post_authenticated
-from djangosaml2.utils import get_custom_setting, available_idps, get_location, \
-    get_hidden_form_inputs
+from djangosaml2.utils import get_custom_setting, available_idps, get_location
 
 
 logger = logging.getLogger('djangosaml2')
@@ -177,17 +175,20 @@ def login(request,
         return HttpResponseRedirect(get_location(result))
     elif binding == BINDING_HTTP_POST:
         if not post_binding_form_template:
+            # use the html provided by pysaml2
             return HttpResponse(result['data'])
-        try:
-            params = get_hidden_form_inputs(result['data'][3])
+        else:
+            # manually get request XML to build our own template
+            request_id, request_xml = client.create_authn_request(
+                client._sso_location(selected_idp, binding),
+                binding=binding)
             return render(request, post_binding_form_template, {
-                    'target_url': result['url'],
-                    'params': params,
-                    })
-        except (DTDForbidden, EntitiesForbidden, ExternalReferenceForbidden):
-            raise PermissionDenied
-        except TemplateDoesNotExist:
-            return HttpResponse(result['data'])
+                'target_url': result['url'],
+                'params': {
+                    'SAMLRequest': base64.b64encode(request_xml),
+                    'RelayState': came_from,
+                    },
+                })
     else:
         raise NotImplementedError('Unsupported binding: %s', binding)