Closed bburky closed 1 week ago
@bburky did you have any ideas of what would solve this? I was looking around and i think ( not 100% sure of this ) that we could use the built in kcSanitize
to wrap the client.name
and mitigate XSS: ${kcSanitize(client.name)?no_esc}
.
Yes, I think kcSanitize()
probably works, would need to test. Try putting <script>alert(1)</script>
into the client name and verify that it gets escaped
client.name
is rendered into the webpage without escaping: https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.0/src/theme/login/template.ftl#L57 XSS is possible through the display name of a Keycloak client.Even with client self-registration via Package CR, I think we still consider creating clients to be an admin action, so this has limited security impact (an admin can XSS users, but non-admins shouldn't be able exploit this)