Freemarker `msg` function does not escape correctly

Hi all,

In my keycloak freemarker template I want to use the msg functionality with two parameters - one should be escaped the other should not, the escaped property is required as it could contain malicious html. I have tested the following 3 things and get different formatting.

  1. ${kcSanitize(salutation)?esc}
  2. ${kcSanitize(msg("registrationBodyHtml", kcSanitize(salutation)?esc, link))?no_esc}
  3. ${kcSanitize(msg("registrationBodyHtml", salutation?esc, link))?no_esc}

Where malicious salutation = “Hello” and non-malicious salutation = “Hello”

The message in the messages file is:


{0}. Thank you for registering. Link

Output results for the malicious salutation property:

  1. Hello

    - correct as the html has been escaped.

2/3. markupOutput(format=HTML, plainText=Hello) - incorrect as I think the java object has just been converted toString by the msg function?

Output results for the non-malicious salutation property:

  1. Hello - correct as the plain text is shown and is readable to the user.
    2/3. markupOutput(format=HTML, plainText=Hello) - incorrect - it should say “Hello” and the same is happening as the malicous content.

Whilst 1 is correct the user’s requirement is to be able to update their messages in the appropriate messages file, therefore I need to use the msg() style shown in 2 and 3 and option 1 is not viable to me.

Any help appreciated,

Many Thanks.

The malicious salutation is actaully meant to be an anchor tag with a link to a malicious site - however the forum has formatted it so it looks identical to the non-malicious