XSS Vuln: HTML Email Templates Don't Auto-escape

[mancusi]

XSS Vuln: HTML Email Templates Don't Auto-escape

Description

Custom HTML email templates don't have a Freemarker output format set by default which results in the templates not auto-escaping templates by default

Observed versions

1.49.2

Affects versions

1.49.2

Steps to reproduce

Steps to reproduce the behavior:

1. Create an email template with the following HTML

<html>
  <body>
    <p>Output format: ${.output_format}</p>
    <p>Auto-escaping: ${.auto_esc?c}</p>
    <p>Hi ${user.firstName}!</p>
  </body>
</html>

2. Create a user with a first name of <h1>John</h1>
3. Send a test email to them.

Expected behavior

<h1>John</h1> should be html escaped. However, no output format is set so an output format must be set manually. See Freemarker docs for details here.

Screenshots

Example email:

Platform

(Please complete the following information)

• Device: any
• OS: any
• Browser + version: any
• Database: any

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

The output format and auto-escaping values in the example are provided to demonstrate that no output format is being set.