From 5ca14b540b1163e1880ade0e5160b54dc36ba8d5 Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@matrix.org>
Date: Mon, 11 Sep 2023 16:47:02 +0100
Subject: [PATCH 1/2] Don't show redirect_uri on consent screen if not HTTP

Because we don't know if it is validated by the OS at all and so could be misleading to the user
---
 templates/pages/consent.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/pages/consent.html b/templates/pages/consent.html
index 461722f29..9f9dc579d 100644
--- a/templates/pages/consent.html
+++ b/templates/pages/consent.html
@@ -32,7 +32,7 @@
         {% endif %}
 
         <h1 class="cpd-text-primary cpd-text-heading-xl-semibold"><a target="_blank" href="{{ client.client_uri }}">{{ client_name }}</a></h1>
-        <p class="cpd-text-secondary cpd-text-body-lg-regular"><span class="whitespace-nowrap">at {{ grant.redirect_uri | simplify_url }}</span> wants to access your account. This will allow <span class="whitespace-nowrap">{{ client_name }}</span> to:</p>
+        <p class="cpd-text-secondary cpd-text-body-lg-regular">{% if client.redirect_uri is starting_with("http") %}<span class="whitespace-nowrap">at {{ grant.redirect_uri | simplify_url }}</span> {% endif %}wants to access your account. This will allow <span class="whitespace-nowrap">{{ client_name }}</span> to:</p>
       </div>
 
       <div class="consent-scope-list">

From 40107329810bb2d63bc75441d3dba9fbf3f92b1e Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@matrix.org>
Date: Mon, 11 Sep 2023 16:48:07 +0100
Subject: [PATCH 2/2] Use correct uri

---
 templates/pages/consent.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/pages/consent.html b/templates/pages/consent.html
index 9f9dc579d..d71c65500 100644
--- a/templates/pages/consent.html
+++ b/templates/pages/consent.html
@@ -32,7 +32,7 @@
         {% endif %}
 
         <h1 class="cpd-text-primary cpd-text-heading-xl-semibold"><a target="_blank" href="{{ client.client_uri }}">{{ client_name }}</a></h1>
-        <p class="cpd-text-secondary cpd-text-body-lg-regular">{% if client.redirect_uri is starting_with("http") %}<span class="whitespace-nowrap">at {{ grant.redirect_uri | simplify_url }}</span> {% endif %}wants to access your account. This will allow <span class="whitespace-nowrap">{{ client_name }}</span> to:</p>
+        <p class="cpd-text-secondary cpd-text-body-lg-regular">{% if grant.redirect_uri is starting_with("http") %}<span class="whitespace-nowrap">at {{ grant.redirect_uri | simplify_url }}</span> {% endif %}wants to access your account. This will allow <span class="whitespace-nowrap">{{ client_name }}</span> to:</p>
       </div>
 
       <div class="consent-scope-list">