Open mancusi opened 2 months ago
Thanks for the report @mancusi.
We'll verify this report, and let you know what we find. We do open up some features in the FreeMarker render configuration to allow for some flexibility knowing that you must be an admin or have an API key to modify them. But we'll review and confirm if this behavior is intended, or if it has any legitimate use case.
XSS Vuln: HTML Email Templates Don't Auto-escape
Description
Custom HTML email templates don't have a Freemarker output format set by default which results in the templates not auto-escaping templates by default
Observed versions
1.49.2
Affects versions
1.49.2
Steps to reproduce
Steps to reproduce the behavior:
<h1>John</h1>
Expected behavior
<h1>John</h1>
should be html escaped. However, no output format is set so an output format must be set manually. See Freemarker docs for details here.Screenshots
Example email:
Platform
(Please complete the following information)
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
The output format and auto-escaping values in the example are provided to demonstrate that no output format is being set.