[keycloak-dev] If you ever touch Freemarker....
Stan Silvert
ssilvert at redhat.com
Mon Oct 23 12:16:32 EDT 2017
If you ever touch our Freemarker code, you need to be aware that we have
changed the way that HTML is escaped. Don't use ?html any more.
Freemarker is now upgraded to the latest version which provides
automatic escaping of all variables by default. The ?html suffix is no
longer allowed. This is far more secure as we err on the side of caution.
If you intend to include html in a Freemarker variable value you need to
tell Freemarker that it shouldn't escape it. Use the ?no_esc suffix.
For example, let's say you have a message bundle entry that looks like this:
totpStep1=Install <a href="https://myurl/">FreeOTP</a> or Google
Authenticator on your device.
In Freemarker, you need to say:
<p>${msg("totpStep1")?no_esc}</p>
Also, be aware that you are responsible for the safety of anything
marked with ?no_esc. Make sure there is no way it can be modified from
outside Keycloak or you will be opening Keycloak to an XSS attack.
Stan
More information about the keycloak-dev
mailing list