KEYCLOAK-16890: Stored XSS attack on new acct console (#7867)

2021-03-22 06:24:12 -04:00 · 2021-03-22 06:24:12 -04:00 · 717d9515fa
commit 717d9515fa
parent 3b80eee5bf
2 changed files with 25 additions and 1 deletions
--- a/testsuite/integration-arquillian/tests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java
+++ b/testsuite/integration-arquillian/tests/other/base-ui/src/test/java/org/keycloak/testsuite/ui/account2/PersonalInfoTest.java
@ -250,4 +250,22 @@ public class PersonalInfoTest extends BaseAccountPageTest {

        ApiUtil.removeUserByUsername(testRealm, "keycloak-15634");
    }
+
+    @Test
+    // https://issues.redhat.com/browse/KEYCLOAK-16890
+    // Stored personal info triggers attack via the display of user name in header.
+    // If user name is left unsanitized, this test will fail with
+    // org.openqa.selenium.UnhandledAlertException: unexpected alert open: {Alert text : XSS}
+    public void storedXSSAttack() {
+        personalInfoPage.navigateTo();
+        testUser.setFirstName("<img src=x onerror=\"alert('XSS');\">");
+        personalInfoPage.setValues(testUser, false);
+        personalInfoPage.clickSave();
+
+        personalInfoPage.header().clickLogoutBtn();
+        accountWelcomeScreen.header().clickLoginBtn();
+        loginPage.form().login(testUser);
+        personalInfoPage.navigateTo();
+    }
+
 }
--- a/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js
+++ b/themes/src/main/resources/theme/keycloak.v2/account/resources/welcome-page-scripts.js
@ -55,7 +55,13 @@ function loggedInUserName() {
            userName = (givenName || familyName) || preferredUsername || userName;
        }
    }
-    return userName;
+    return sanitize(userName);
+}
+
+function sanitize(dirtyString) {
+    let element = document.createElement("span");
+    element.textContent = dirtyString;
+    return element.innerHTML;
 }

 var toggleMobileDropdown = function () {