From a4a6c1e3d99342f018288e7fe8935bfb03f631d1 Mon Sep 17 00:00:00 2001
From: Andreas Wrede <andreas@wrede.ca>
Date: Sat, 9 May 2026 08:57:25 -0400
Subject: [PATCH] fix: extend fetch_user error guard; escape HTML in login page

Move field-extraction inside the try/except in fetch_user so non-dict
responses from providers with empty profile_data_path (Gitea, GitHub)
raise OAuthError instead of an uncaught AttributeError. Apply
html.escape() to provider name, label, and logo URL in the login page.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 hbd/server/http.py  |  7 ++++---
 hbd/server/oauth.py | 13 ++++++-------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/hbd/server/http.py b/hbd/server/http.py
index 2a469bd..ef28d84 100644
--- a/hbd/server/http.py
+++ b/hbd/server/http.py
@@ -2,6 +2,7 @@
 
 import asyncio
 import datetime
+import html as _html
 import json
 import platform
 import socket
@@ -630,10 +631,10 @@ async def start(
         if _providers:
             buttons_html = ""
             for _p in _providers:
-                _logo = f'<img src="{_p.logo}" alt="" class="oauth-logo">' if _p.logo else ""
+                _logo = f'<img src="{_html.escape(_p.logo)}" alt="" class="oauth-logo">' if _p.logo else ""
                 buttons_html += f"""
-    <a href="/login/oauth/{_p.name}" class="oauth-btn">
-      {_logo}{_p.label}
+    <a href="/login/oauth/{_html.escape(_p.name)}" class="oauth-btn">
+      {_logo}{_html.escape(_p.label)}
     </a>"""
             oauth_buttons = f"""
     <div class="divider">or</div>{buttons_html}"""
diff --git a/hbd/server/oauth.py b/hbd/server/oauth.py
index 5097bf9..ad9ec1d 100644
--- a/hbd/server/oauth.py
+++ b/hbd/server/oauth.py
@@ -244,12 +244,11 @@ async def fetch_user(provider: ResolvedProvider, token: str) -> dict:
     try:
         for key in provider.profile_data_path:
             data = data.get(key, {})
+        avatar_field = provider.field_map.get("avatar")
+        return {
+            "login":      data.get(provider.field_map["username"], ""),
+            "full_name":  data.get(provider.field_map["full_name"], ""),
+            "avatar_url": data.get(avatar_field, "") if avatar_field else "",
+        }
     except AttributeError:
         raise OAuthError(f"Unexpected profile response structure from {provider.type}")
-
-    avatar_field = provider.field_map.get("avatar")
-    return {
-        "login":      data.get(provider.field_map["username"], ""),
-        "full_name":  data.get(provider.field_map["full_name"], ""),
-        "avatar_url": data.get(avatar_field, "") if avatar_field else "",
-    }