HtmlEncode iframe URLs in EndSessionCallbackResult #5184 (#5188)

src/IdentityServer4/src/Endpoints/Results/EndSessionCallbackResult.cs

@@ -12,6 +12,7 @@
 using System;
 using IdentityServer4.Extensions;
 using IdentityServer4.Configuration;
+using System.Text.Encodings.Web;
 
 namespace IdentityServer4.Endpoints.Results
 {
@@ -79,7 +80,7 @@ private string GetHtml()
 
             if (_result.FrontChannelLogoutUrls != null && _result.FrontChannelLogoutUrls.Any())
             {
-                var frameUrls = _result.FrontChannelLogoutUrls.Select(url => $"<iframe src='{url}'></iframe>");
+                var frameUrls = _result.FrontChannelLogoutUrls.Select(url => $"<iframe src='{HtmlEncoder.Default.Encode(url)}'></iframe>");
                 framesHtml = frameUrls.Aggregate((x, y) => x + y);
             }
 

src/IdentityServer4/test/IdentityServer.IntegrationTests/Endpoints/EndSession/EndSessionTests.cs

@@ -379,8 +379,8 @@ public async Task valid_signout_callback_should_render_iframes_for_all_clients()
 
             response = await _mockPipeline.BrowserClient.GetAsync(signoutFrameUrl);
             var html = await response.Content.ReadAsStringAsync();
-            html.Should().Contain("https://client1/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server"));
-            html.Should().Contain("https://client2/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server"));
+            html.Should().Contain(HtmlEncoder.Default.Encode("https://client1/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server")));
+            html.Should().Contain(HtmlEncoder.Default.Encode("https://client2/signout?sid=" + sid + "&iss=" + UrlEncoder.Default.Encode("https://server")));
         }
 
         [Fact]