Before reporting an issue
Area
authentication
Describe the bug
The file frontchannel-logout.ftl uses a properties directly in javascript. Messages are controlled by realm administrators, so low risk, but better if we improve this.
We can use a javascript output <#outputformat "JavaScript"> and use "${msg("frontchannel-logout.title")?c} to properly escape the message or add a title parameter to the templates and add it normally in the HTML part.
Version
26.6.1
Regression
Expected behavior
The message should be escaped or added not in JS.
Actual behavior
The msg is added using JS and not properly escaped in the ftl file.
How to Reproduce?
N/A
Anything else?
No response
Before reporting an issue
Area
authentication
Describe the bug
The file frontchannel-logout.ftl uses a properties directly in javascript. Messages are controlled by realm administrators, so low risk, but better if we improve this.
We can use a javascript output
<#outputformat "JavaScript">and use"${msg("frontchannel-logout.title")?c}to properly escape the message or add a title parameter to the templates and add it normally in the HTML part.Version
26.6.1
Regression
Expected behavior
The message should be escaped or added not in JS.
Actual behavior
The msg is added using JS and not properly escaped in the ftl file.
How to Reproduce?
N/A
Anything else?
No response