[keycloak-dev] Avoiding XSS in Keycloak/Freemarker

[Stan Silvert]

*Executive summary: *Any time you use ?no_esc, make sure you also use 
kcSanitize().

Most of you on the team are already aware of this, but for completeness 
I'll post to the community dev list.

Some time ago, we switched our default Freemarker settings so that 
everything is escaped by default.  However, this means that some things 
need to be explicitly "un-escaped".  This includes any time we allow 
HTML in an admin console field or in a resource bundle (*.properties file).

The way this is done in Freemarker is to use the ?no_esc directive.  For 
example, login.ftl has

<span class="kc-feedback-text">${message.summary?no_esc}</span>

This is fine, but what if, somehow an attacker was able to insert some 
HTML into message.summary?  It's unlikely because it requires a high 
level of access.  But it's possible.

We now protect against this using a sanitizer for unescaped content.  
 From now on, you should call the Keycloak sanitizer any time you are 
using ?no_esc.  The sanitizer removes unsafe HTML using an algorithm 
similar to the one used on eBay.  So this example becomes:

<span class="kc-feedback-text">${kcSanitize(message.summary)?no_esc}</span>