Hi all,
In my keycloak freemarker template I want to use the msg functionality with two parameters - one should be escaped the other should not, the escaped property is required as it could contain malicious html. I have tested the following 3 things and get different formatting.
-
${kcSanitize(salutation)?esc} -
${kcSanitize(msg("registrationBodyHtml", kcSanitize(salutation)?esc, link))?no_esc} -
${kcSanitize(msg("registrationBodyHtml", salutation?esc, link))?no_esc}
Where malicious salutation = “Hello” and non-malicious salutation = “Hello”
The message in the messages file is:
registrationBodyHtml=
{0}. Thank you for registering. Link
Output results for the malicious salutation property:
-
Hello
- correct as the html has been escaped.
2/3. markupOutput(format=HTML, plainText=Hello) - incorrect as I think the java object has just been converted toString by the msg function?
Output results for the non-malicious salutation property:
- Hello - correct as the plain text is shown and is readable to the user.
2/3. markupOutput(format=HTML, plainText=Hello) - incorrect - it should say “Hello” and the same is happening as the malicous content.
Whilst 1 is correct the user’s requirement is to be able to update their messages in the appropriate messages file, therefore I need to use the msg() style shown in 2 and 3 and option 1 is not viable to me.
Any help appreciated,
Many Thanks.