From 7b1d17a006378d8f3c2e60eb201e2add4d4b13ba Mon Sep 17 00:00:00 2001
From: Alex Collins <alexec@users.noreply.github.com>
Date: Thu, 10 Sep 2020 12:25:01 -0700
Subject: [PATCH] fix(server): Remove XSS vulnerability. Fixes #3942 (#3975)

---
 server/auth/sso/sso.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/auth/sso/sso.go b/server/auth/sso/sso.go
index 86f90c33fa8d..2b0eecbfb47c 100644
--- a/server/auth/sso/sso.go
+++ b/server/auth/sso/sso.go
@@ -147,7 +147,7 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
 	}
 	if state != cookie.Value {
 		w.WriteHeader(401)
-		_, _ = w.Write([]byte(fmt.Sprintf("invalid state: %s", state)))
+		_, _ = w.Write([]byte("invalid state: does not match cookie value"))
 		return
 	}
 	oauth2Token, err := s.config.Exchange(ctx, r.URL.Query().Get("code"))