there is a content spoofing flaw in OpenShift's OAuth endpoint (https://oauth.openshift.apps.HOSTNAME.com) and spoofing an error_description query param results in seeing the error message come back in the OpenShift response JSON. For example, this URL: https://oauth-openshift.apps.jmazziteos4.lab.upshift.rdu2.redhat.com/error_description=An%20error%20occurred,%20to%20correct%20please%20visit%20http://dr.evil.com%20or%20call%20the%20number%20081337 is shown an error message which includes text which has been injected by the attacker "An error occurred, to correct please visit http://dr.evil.com or call the number 081337"