XSS Vuln: HTML Email Templates Don't Auto-escape

[mancusi]

XSS Vuln: HTML Email Templates Don't Auto-escape

Description

Custom HTML email templates don't have a Freemarker output format set by default which results in the templates not auto-escaping templates by default

Observed versions

1.49.2

Affects versions

1.49.2

Steps to reproduce

Steps to reproduce the behavior:

1. Create an email template with the following HTML

<html>
  <body>
    <p>Output format: ${.output_format}</p>
    <p>Auto-escaping: ${.auto_esc?c}</p>
    <p>Hi ${user.firstName}!</p>
  </body>
</html>

2. Create a user with a first name of <h1>John</h1>
3. Send a test email to them.

Expected behavior

<h1>John</h1> should be html escaped. However, no output format is set so an output format must be set manually. See Freemarker docs for details here.

Screenshots

Example email:

Platform

(Please complete the following information)

• Device: any
• OS: any
• Browser + version: any
• Database: any

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

The output format and auto-escaping values in the example are provided to demonstrate that no output format is being set.

[robotdan]

Thanks for the report @mancusi.

We'll verify this report, and let you know what we find. We do open up some features in the FreeMarker render configuration to allow for some flexibility knowing that you must be an admin or have an API key to modify them. But we'll review and confirm if this behavior is intended, or if it has any legitimate use case.