Motivation

• The consent page was rendering the client_id raw in the advanced details section, reintroducing an XSS regression when attacker-controlled client IDs are present; this change restores consistent escaping for user-controlled fields.

Description

• Escape client_id before rendering the "Application ID" detail in create_consent_html so all advanced detail values are HTML-escaped (file: src/fastmcp/server/auth/oauth_proxy/ui.py).
• Add a focused unit test TestConsentPageRendering::test_create_consent_html_escapes_client_id_in_details that verifies a malicious client_id is not rendered as raw HTML (file: tests/server/auth/oauth_proxy/test_ui.py).

Testing

• Ran uv sync which completed successfully.
• Ran the full test suite with uv run pytest -n auto, which exposed unrelated flaky/timeouts in this environment but was used to validate the PR initially; the failures were not related to the UI change.
• Ran targeted tests with uv run pytest tests/server/auth/oauth_proxy/test_ui.py tests/server/auth/test_oauth_consent_page.py and they passed (18 passed in ~3.3s).
• Ran uv run prek run --all-files which failed due to an external pre-commit hook fetch failing in the environment (CONNECT tunnel failed, response 403).

🤖 Generated with GPT-5.2-Codex

Codex Task