KEYCLOAK-16890: Stored XSS attack on new acct console (#7867)

keycloak · Mar 22, 2021 · 717d951 · 717d951
1 parent 3b80eee
commit 717d951
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/...ests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java b/...ests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java
@@ -250,4 +250,22 @@ public void updateProfileWithAttributePresent() {
 
         ApiUtil.removeUserByUsername(testRealm, "keycloak-15634");
     }
+
+    @Test
+    // https://issues.redhat.com/browse/KEYCLOAK-16890
+    // Stored personal info triggers attack via the display of user name in header.
+    // If user name is left unsanitized, this test will fail with
+    // org.openqa.selenium.UnhandledAlertException: unexpected alert open: {Alert text : XSS}
+    public void storedXSSAttack() {
+        personalInfoPage.navigateTo();
+        testUser.setFirstName("<img src=x onerror=\"alert('XSS');\">");
+        personalInfoPage.setValues(testUser, false);
+        personalInfoPage.clickSave();
+
+        personalInfoPage.header().clickLogoutBtn();
+        accountWelcomeScreen.header().clickLoginBtn();
+        loginPage.form().login(testUser);
+        personalInfoPage.navigateTo();
+    }
+
 }
diff --git a/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js b/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js
@@ -55,7 +55,13 @@ function loggedInUserName() {
             userName = (givenName || familyName) || preferredUsername || userName;
         }
     }
-    return userName;
+    return sanitize(userName);
+}
+
+function sanitize(dirtyString) {
+    let element = document.createElement("span");
+    element.textContent = dirtyString;
+    return element.innerHTML;
 }
 
 var toggleMobileDropdown = function () {