From 717d9515fa131e3d8c8936e41b2e52270fdec976 Mon Sep 17 00:00:00 2001
From: Stan Silvert <ssilvert@redhat.com>
Date: Mon, 22 Mar 2021 06:24:12 -0400
Subject: [PATCH] KEYCLOAK-16890: Stored XSS attack on new acct console (#7867)

---
 .../ui/account2/PersonalInfoTest.java          | 18 ++++++++++++++++++
 .../account/resources/welcome-page-scripts.js  |  8 +++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/testsuite/integration-arquillian/tests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java b/testsuite/integration-arquillian/tests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java
index ee51b20759..eb8ab35c2a 100644
--- a/testsuite/integration-arquillian/tests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java
+++ b/testsuite/integration-arquillian/tests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java
@@ -250,4 +250,22 @@ public class PersonalInfoTest extends BaseAccountPageTest {
 
         ApiUtil.removeUserByUsername(testRealm, "keycloak-15634");
     }
+
+    @Test
+    // https://issues.redhat.com/browse/KEYCLOAK-16890
+    // Stored personal info triggers attack via the display of user name in header.
+    // If user name is left unsanitized, this test will fail with
+    // org.openqa.selenium.UnhandledAlertException: unexpected alert open: {Alert text : XSS}
+    public void storedXSSAttack() {
+        personalInfoPage.navigateTo();
+        testUser.setFirstName("<img src=x onerror=\"alert('XSS');\">");
+        personalInfoPage.setValues(testUser, false);
+        personalInfoPage.clickSave();
+
+        personalInfoPage.header().clickLogoutBtn();
+        accountWelcomeScreen.header().clickLoginBtn();
+        loginPage.form().login(testUser);
+        personalInfoPage.navigateTo();
+    }
+
 }
diff --git a/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js b/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js
index 3559d65ab6..1ad130e66e 100644
--- a/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js
+++ b/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js
@@ -55,7 +55,13 @@ function loggedInUserName() {
             userName = (givenName || familyName) || preferredUsername || userName;
         }
     }
-    return userName;
+    return sanitize(userName);
+}
+
+function sanitize(dirtyString) {
+    let element = document.createElement("span");
+    element.textContent = dirtyString;
+    return element.innerHTML;
 }
 
 var toggleMobileDropdown = function () {