UnicornChance
commented
2 weeks ago @bburky did you have any ideas of what would solve this? I was looking around and i think ( not 100% sure of this ) that we could use the built in kcSanitize to wrap the client.name and mitigate XSS: ${kcSanitize(client.name)?no_esc}.
bburky
client.nameis rendered into the webpage without escaping: https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.0/src/theme/login/template.ftl#L57 XSS is possible through the display name of a Keycloak client.Even with client self-registration via Package CR, I think we still consider creating clients to be an admin action, so this has limited security impact (an admin can XSS users, but non-admins shouldn't be able exploit this)