[keycloak-user] HTML injection on registration page
Adrian Matei
adrianmatei at gmail.com
Thu Aug 11 10:55:36 EDT 2016
Hi everyone,
After a security audit we've found out that by user registration one can do
HTML injection by inserting for example the following code in the Name
field: Victim<p><a href=www.google.ch>Konto aktivieren</a>
The victim receives the validation email with the malicious link right
after their name. Therefore the injected html is rendered instead of
escaped by the email service. Is there any way we can avoid this
declaratively or what would be an alternative solution?
Best regards,
Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/e8f6c673/attachment.html
More information about the keycloak-user
mailing list