Skip to content

No escape approach for JS code inside the front channel logout FTL #48313

Closed
bug
Closed
No escape approach for JS code inside the front channel logout FTL#48313
bug
#48355 (+2)
Assignees
mabartos
Labels
area/login/uikind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.12release/26.6.2release/26.7.0team/core-authn
@mabartos

Description

@mabartos
mabartos
opened on Apr 21, 2026

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

Sometimes, in the freemarker templates files (.ftl), we don't use escaping for the JS code, which might lead to JS injection in some places. In the frontchannel-logout.ftl, we should handle the critical logout redirect uri.

We should use the freemarker's outputformat functionality.

Version

main

Regression

  • The issue is a regression

Expected behavior

The JS code escaping should be used in the templates

Actual behavior

The JS code escaping is NOT used in the templates

How to Reproduce?

Put some JS script into your .ftl file:

<script>
    function readystatechange(event) {
        if (document.readyState=='complete') {
            window.location.replace('${myVar}');
        }
    }
    document.addEventListener('readystatechange', readystatechange);
</script>

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/login/uikind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.12release/26.6.2release/26.7.0team/core-authn

Type

bug

Fields

No fields configured for bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions