From 39d1fa2825c6d7b1e759968babe7713b21045c07 Mon Sep 17 00:00:00 2001
From: Alexander Schwartz <aschwart@redhat.com>
Date: Thu, 27 Nov 2025 11:16:21 +0100
Subject: [PATCH] Escape passkeys descriptions and labels depending on the
 context

Closes #44387

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
---
 .../registration/PolicyJsInjectionTest.java   |  2 +-
 ...ogin-passkeys-conditional-authenticate.ftl | 32 ++++++++++---------
 .../resources/theme/base/login/passkeys.ftl   | 14 ++++----
 .../base/login/webauthn-authenticate.ftl      | 24 +++++++-------
 .../theme/base/login/webauthn-register.ftl    | 30 +++++++++--------
 .../login/webauthn-authenticate.ftl           | 23 +++++++------
 .../keycloak.v2/login/webauthn-register.ftl   | 30 +++++++++--------
 7 files changed, 84 insertions(+), 71 deletions(-)

diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/PolicyJsInjectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/PolicyJsInjectionTest.java
index d4d78ee2bcd..fd0bf4c9f25 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/PolicyJsInjectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/registration/PolicyJsInjectionTest.java
@@ -160,7 +160,7 @@ public class PolicyJsInjectionTest extends AbstractWebAuthnVirtualTest {
             assertThat(authenticators, notNullValue());
             assertThat(authenticators.getItems(), not(Matchers.empty()));
 
-            assertThat(authenticators.getLabels().get(0), is("label`;window.prompt(\"another\");"));
+            assertThat(authenticators.getLabels().get(0), is(originalLabel));
         }
     }
 
diff --git a/themes/src/main/resources/theme/base/login/login-passkeys-conditional-authenticate.ftl b/themes/src/main/resources/theme/base/login/login-passkeys-conditional-authenticate.ftl
index 05b9da7f9fa..f37a787dcc1 100644
--- a/themes/src/main/resources/theme/base/login/login-passkeys-conditional-authenticate.ftl
+++ b/themes/src/main/resources/theme/base/login/login-passkeys-conditional-authenticate.ftl
@@ -3,7 +3,7 @@
     <#if section = "title">
      title
     <#elseif section = "header">
-        ${kcSanitize(msg("passkey-login-title"))?no_esc}
+        ${msg("passkey-login-title")}
     <#elseif section = "form">
         <form id="webauth" action="${url.loginAction}" method="post">
             <input type="hidden" id="clientDataJSON" name="clientDataJSON"/>
@@ -24,7 +24,7 @@
 
                 <#if shouldDisplayAuthenticators?? && shouldDisplayAuthenticators>
                     <#if authenticators.authenticators?size gt 1>
-                        <p class="${properties.kcSelectAuthListItemTitle!}">${kcSanitize(msg("passkey-available-authenticators"))?no_esc}</p>
+                        <p class="${properties.kcSelectAuthListItemTitle!}">${msg("passkey-available-authenticators")}</p>
                     </#if>
 
                     <div class="${properties.kcFormClass!}">
@@ -36,14 +36,14 @@
                                 <div class="${properties.kcSelectAuthListItemBodyClass!}">
                                     <div id="kc-webauthn-authenticator-label-${authenticator?index}"
                                          class="${properties.kcSelectAuthListItemHeadingClass!}">
-                                        ${kcSanitize(msg('${authenticator.label}'))?no_esc}
+                                        ${authenticator.label}
                                     </div>
 
                                     <#if authenticator.transports?? && authenticator.transports.displayNameProperties?has_content>
                                         <div id="kc-webauthn-authenticator-transport-${authenticator?index}"
                                             class="${properties.kcSelectAuthListItemDescriptionClass!}">
                                             <#list authenticator.transports.displayNameProperties as nameProperty>
-                                                <span>${kcSanitize(msg('${nameProperty!}'))?no_esc}</span>
+                                                <span>${msg(nameProperty)}</span>
                                                 <#if nameProperty?has_next>
                                                     <span>, </span>
                                                 </#if>
@@ -53,10 +53,10 @@
 
                                     <div class="${properties.kcSelectAuthListItemDescriptionClass!}">
                                         <span id="kc-webauthn-authenticator-createdlabel-${authenticator?index}">
-                                            ${kcSanitize(msg('passkey-createdAt-label'))?no_esc}
+                                            ${msg('passkey-createdAt-label')}
                                         </span>
                                         <span id="kc-webauthn-authenticator-created-${authenticator?index}">
-                                            ${kcSanitize(authenticator.createdAt)?no_esc}
+                                            ${authenticator.createdAt}
                                         </span>
                                     </div>
                                 </div>
@@ -92,7 +92,7 @@
                     </#if>
                     <div id="kc-form-passkey-button" class="${properties.kcFormButtonsClass!}" style="display:none">
                         <input id="authenticateWebAuthnButton" type="button" autofocus="autofocus"
-                            value="${kcSanitize(msg("passkey-doAuthenticate"))}"
+                            value="${msg("passkey-doAuthenticate")}"
                             class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}"/>
                     </div>
                 </div>
@@ -100,17 +100,18 @@
         </div>
 
         <script type="module">
+            <#outputformat "JavaScript">
             import { authenticateByWebAuthn } from "${url.resourcesPath}/js/webauthnAuthenticate.js";
             import { initAuthenticate } from "${url.resourcesPath}/js/passkeysConditionalAuth.js";
 
             const authButton = document.getElementById('authenticateWebAuthnButton');
             const input = {
                 isUserIdentified : ${isUserIdentified},
-                challenge : '${challenge}',
-                userVerification : '${userVerification}',
-                rpId : '${rpId}',
+                challenge : ${challenge?c},
+                userVerification : ${userVerification?c},
+                rpId : ${rpId?c},
                 createTimeout : ${createTimeout?c},
-                errmsg : "${msg("webauthn-unsupported-browser-text")?no_esc}"
+                errmsg : ${msg("webauthn-unsupported-browser-text")?c}
             };
             authButton.addEventListener("click", () => {
                 authenticateByWebAuthn(input);
@@ -118,11 +119,11 @@
 
             const args = {
                 isUserIdentified : ${isUserIdentified},
-                challenge : '${challenge}',
-                userVerification : '${userVerification}',
-                rpId : '${rpId}',
+                challenge : ${challenge?c},
+                userVerification : ${userVerification?c},
+                rpId : ${rpId?c},
                 createTimeout : ${createTimeout?c},
-                errmsg : "${msg("passkey-unsupported-browser-text")?no_esc}"
+                errmsg : ${msg("passkey-unsupported-browser-text")?c}
             };
 
             document.addEventListener("DOMContentLoaded", (event) => initAuthenticate(args, (available) => {
@@ -132,6 +133,7 @@
                     document.getElementById("kc-form-passkey-button").style.display = 'block';
                 }
             }));
+            </#outputformat>
         </script>
 
     <#elseif section = "info">
diff --git a/themes/src/main/resources/theme/base/login/passkeys.ftl b/themes/src/main/resources/theme/base/login/passkeys.ftl
index 6e3328fa37b..24db6a1cef1 100644
--- a/themes/src/main/resources/theme/base/login/passkeys.ftl
+++ b/themes/src/main/resources/theme/base/login/passkeys.ftl
@@ -16,28 +16,30 @@
             </form>
         </#if>
         <script type="module">
+           <#outputformat "JavaScript">
            import { authenticateByWebAuthn } from "${url.resourcesPath}/js/webauthnAuthenticate.js";
            import { initAuthenticate } from "${url.resourcesPath}/js/passkeysConditionalAuth.js";
 
            const args = {
                isUserIdentified : ${isUserIdentified},
-               challenge : '${challenge}',
-               userVerification : '${userVerification}',
-               rpId : '${rpId}',
+               challenge : ${challenge?c},
+               userVerification : ${userVerification?c},
+               rpId : ${rpId?c},
                createTimeout : ${createTimeout?c}
            };
 
-           document.addEventListener("DOMContentLoaded", (event) => initAuthenticate({errmsg : "${msg("passkey-unsupported-browser-text")?no_esc}", ...args}));
+           document.addEventListener("DOMContentLoaded", (event) => initAuthenticate({errmsg : ${msg("passkey-unsupported-browser-text")?c}, ...args}));
            const authButton = document.getElementById('authenticateWebAuthnButton');
            if (authButton) {
                authButton.addEventListener("click", (event) => {
                    event.preventDefault();
-                   authenticateByWebAuthn({errmsg : "${msg("webauthn-unsupported-browser-text")?no_esc}", ...args});
+                   authenticateByWebAuthn({errmsg : ${msg("webauthn-unsupported-browser-text")?c}, ...args});
                }, { once: true });
            }
+           </#outputformat>
         </script>
         <a id="authenticateWebAuthnButton" href="#" class="${properties.kcButtonSecondaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcMarginTopClass!}">
-            ${kcSanitize(msg("webauthn-doAuthenticate"))?no_esc}
+            ${msg("webauthn-doAuthenticate")}
         </a>
     </#if>
 </#macro>
diff --git a/themes/src/main/resources/theme/base/login/webauthn-authenticate.ftl b/themes/src/main/resources/theme/base/login/webauthn-authenticate.ftl
index ad767cfb300..748be5420b8 100644
--- a/themes/src/main/resources/theme/base/login/webauthn-authenticate.ftl
+++ b/themes/src/main/resources/theme/base/login/webauthn-authenticate.ftl
@@ -3,7 +3,7 @@
     <#if section = "title">
      title
     <#elseif section = "header">
-        ${kcSanitize(msg("webauthn-login-title"))?no_esc}
+        ${msg("webauthn-login-title")}
     <#elseif section = "form">
         <div id="kc-form-webauthn" class="${properties.kcFormClass!}">
             <form id="webauth" action="${url.loginAction}" method="post">
@@ -25,7 +25,7 @@
 
                     <#if shouldDisplayAuthenticators?? && shouldDisplayAuthenticators>
                         <#if authenticators.authenticators?size gt 1>
-                            <p class="${properties.kcSelectAuthListItemTitle!}">${kcSanitize(msg("webauthn-available-authenticators"))?no_esc}</p>
+                            <p class="${properties.kcSelectAuthListItemTitle!}">${msg("webauthn-available-authenticators")}</p>
                         </#if>
 
                         <div class="${properties.kcFormClass!}">
@@ -37,14 +37,14 @@
                                     <div class="${properties.kcSelectAuthListItemBodyClass!}">
                                         <div id="kc-webauthn-authenticator-label-${authenticator?index}"
                                              class="${properties.kcSelectAuthListItemHeadingClass!}">
-                                            ${kcSanitize(msg('${authenticator.label}'))?no_esc}
+                                            ${authenticator.label}
                                         </div>
 
                                         <#if authenticator.transports?? && authenticator.transports.displayNameProperties?has_content>
                                             <div id="kc-webauthn-authenticator-transport-${authenticator?index}"
                                                  class="${properties.kcSelectAuthListItemDescriptionClass!}">
                                                 <#list authenticator.transports.displayNameProperties as nameProperty>
-                                                    <span>${kcSanitize(msg('${nameProperty!}'))?no_esc}</span>
+                                                    <span>${msg(nameProperty)}</span>
                                                     <#if nameProperty?has_next>
                                                         <span>, </span>
                                                     </#if>
@@ -54,10 +54,10 @@
 
                                         <div class="${properties.kcSelectAuthListItemDescriptionClass!}">
                                             <span id="kc-webauthn-authenticator-createdlabel-${authenticator?index}">
-                                                ${kcSanitize(msg('webauthn-createdAt-label'))?no_esc}
+                                                ${msg('webauthn-createdAt-label')}
                                             </span>
                                             <span id="kc-webauthn-authenticator-created-${authenticator?index}">
-                                                ${kcSanitize(authenticator.createdAt)?no_esc}
+                                                ${authenticator.createdAt}
                                             </span>
                                         </div>
                                     </div>
@@ -70,26 +70,28 @@
 
                 <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
                     <input id="authenticateWebAuthnButton" type="button" autofocus="autofocus"
-                           value="${kcSanitize(msg("webauthn-doAuthenticate"))}"
+                           value="${msg("webauthn-doAuthenticate")}"
                            class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}"/>
                 </div>
             </div>
         </div>
 
     <script type="module">
+        <#outputformat "JavaScript">
         import { authenticateByWebAuthn } from "${url.resourcesPath}/js/webauthnAuthenticate.js";
         const authButton = document.getElementById('authenticateWebAuthnButton');
         authButton.addEventListener("click", function() {
             const input = {
                 isUserIdentified : ${isUserIdentified},
-                challenge : '${challenge}',
-                userVerification : '${userVerification}',
-                rpId : '${rpId}',
+                challenge : ${challenge?c},
+                userVerification : ${userVerification?c},
+                rpId : ${rpId?c},
                 createTimeout : ${createTimeout?c},
-                errmsg : "${msg("webauthn-unsupported-browser-text")?no_esc}"
+                errmsg : ${msg("webauthn-unsupported-browser-text")?c}
             };
             authenticateByWebAuthn(input);
         }, { once: true });
+        </#outputformat>
     </script>
 
     <#elseif section = "info">
diff --git a/themes/src/main/resources/theme/base/login/webauthn-register.ftl b/themes/src/main/resources/theme/base/login/webauthn-register.ftl
index 7fa4a91316a..f9a61477d31 100644
--- a/themes/src/main/resources/theme/base/login/webauthn-register.ftl
+++ b/themes/src/main/resources/theme/base/login/webauthn-register.ftl
@@ -6,7 +6,7 @@
         title
     <#elseif section = "header">
         <span class="${properties.kcWebAuthnKeyIcon!}"></span>
-        ${kcSanitize(msg("webauthn-registration-title"))?no_esc}
+        ${msg("webauthn-registration-title")}
     <#elseif section = "form">
 
         <form id="register" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
@@ -22,28 +22,30 @@
         </form>
 
         <script type="module">
+            <#outputformat "JavaScript">
             import { registerByWebAuthn } from "${url.resourcesPath}/js/webauthnRegister.js";
             const registerButton = document.getElementById('registerWebAuthn');
             registerButton.addEventListener("click", function() {
                 const input = {
-                    challenge : '${challenge}',
-                    userid : '${userid}',
-                    username : '${username}',
+                    challenge : ${challenge?c},
+                    userid : ${userid?c},
+                    username : ${username?c},
                     signatureAlgorithms : [<#list signatureAlgorithms as sigAlg>${sigAlg?c},</#list>],
-                    rpEntityName : '${rpEntityName}',
-                    rpId : '${rpId}',
-                    attestationConveyancePreference : '${attestationConveyancePreference}',
-                    authenticatorAttachment : '${authenticatorAttachment}',
-                    requireResidentKey : '${requireResidentKey}',
-                    userVerificationRequirement : '${userVerificationRequirement}',
+                    rpEntityName : ${rpEntityName?c},
+                    rpId : ${rpId?c},
+                    attestationConveyancePreference : ${attestationConveyancePreference?c},
+                    authenticatorAttachment : ${authenticatorAttachment?c},
+                    requireResidentKey : ${requireResidentKey?c},
+                    userVerificationRequirement : ${userVerificationRequirement?c},
                     createTimeout : ${createTimeout?c},
-                    excludeCredentialIds : '${excludeCredentialIds}',
-                    initLabel : "${msg("webauthn-registration-init-label")?no_esc}",
-                    initLabelPrompt : "${msg("webauthn-registration-init-label-prompt")?no_esc}",
-                    errmsg : "${msg("webauthn-unsupported-browser-text")?no_esc}"
+                    excludeCredentialIds : ${excludeCredentialIds?c},
+                    initLabel : ${msg("webauthn-registration-init-label")?c},
+                    initLabelPrompt : ${msg("webauthn-registration-init-label-prompt")?c},
+                    errmsg : ${msg("webauthn-unsupported-browser-text")?c}
                 };
                 registerByWebAuthn(input);
             }, { once: true });
+            </#outputformat>
         </script>
 
         <input type="submit"
diff --git a/themes/src/main/resources/theme/keycloak.v2/login/webauthn-authenticate.ftl b/themes/src/main/resources/theme/keycloak.v2/login/webauthn-authenticate.ftl
index a74b739d69c..6d5f7f30a5c 100644
--- a/themes/src/main/resources/theme/keycloak.v2/login/webauthn-authenticate.ftl
+++ b/themes/src/main/resources/theme/keycloak.v2/login/webauthn-authenticate.ftl
@@ -6,7 +6,7 @@
     <#if section = "title">
      title
     <#elseif section = "header">
-        ${kcSanitize(msg("webauthn-login-title"))?no_esc}
+        ${msg("webauthn-login-title")}
     <#elseif section = "form">
         <div id="kc-form-webauthn" class="${properties.kcFormClass!}" >
             <form id="webauth" action="${url.loginAction}" method="post" hidden="hidden">
@@ -27,7 +27,7 @@
 
                     <#if shouldDisplayAuthenticators?? && shouldDisplayAuthenticators>
                         <#if authenticators.authenticators?size gt 1>
-                            <p class="${properties.kcSelectAuthListItemTitle!}">${kcSanitize(msg("webauthn-available-authenticators"))?no_esc}</p>
+                            <p class="${properties.kcSelectAuthListItemTitle!}">${msg("webauthn-available-authenticators")}</p>
                         </#if>
 
                         <ul class="${properties.kcSelectAuthListClass!}" role="list">
@@ -70,13 +70,13 @@
                                         <div class="${properties.kcSelectAuthListItemBodyClass!}">
                                             <div id="kc-webauthn-authenticator-label-${authenticator?index}"
                                                 class="${properties.kcSelectAuthListItemHeadingClass!}">
-                                                ${kcSanitize(msg('${authenticator.label}'))?no_esc}
+                                                ${authenticator.label}
                                             </div>
 
                                             <#if authenticator.transports?? && authenticator.transports.displayNameProperties?has_content>
                                                 <div id="kc-webauthn-authenticator-transport-${authenticator?index}">
                                                     <#list authenticator.transports.displayNameProperties as nameProperty>
-                                                        <span>${kcSanitize(msg('${nameProperty!}'))?no_esc}</span>
+                                                        <span>${msg(nameProperty)}</span>
                                                         <#if nameProperty?has_next>
                                                             <span>, </span>
                                                         </#if>
@@ -85,12 +85,13 @@
                                             </#if>
 
                                             <span id="kc-webauthn-authenticator-createdlabel-${authenticator?index}">
-                                                <i>${kcSanitize(msg('webauthn-createdAt-label'))?no_esc}</i>
+                                                <i>${msg('webauthn-createdAt-label')}</i>
                                             </span>
                                             <span id="kc-webauthn-authenticator-created-${authenticator?index}">
-                                                <i>${kcSanitize(authenticator.createdAt)?no_esc}</i>
+                                                <i>${authenticator.createdAt}</i>
                                             </span>
                                         </div>
+                                        </div>
                                         <div class="${properties.kcSelectAuthListItemFillClass!}"></div>
                                     </div>
                                 </li>
@@ -104,19 +105,21 @@
             </@buttons.actionGroup>
         </div>
     <script type="module">
+        <#outputformat "JavaScript">
         import { authenticateByWebAuthn } from "${url.resourcesPath}/js/webauthnAuthenticate.js";
         const authButton = document.getElementById('authenticateWebAuthnButton');
         authButton.addEventListener("click", function() {
             const input = {
                 isUserIdentified : ${isUserIdentified},
-                challenge : '${challenge}',
-                userVerification : '${userVerification}',
-                rpId : '${rpId}',
+                challenge : ${challenge?c},
+                userVerification : ${userVerification?c},
+                rpId : ${rpId?c},
                 createTimeout : ${createTimeout?c},
-                errmsg : "${msg("webauthn-unsupported-browser-text")?no_esc}"
+                errmsg : ${msg("webauthn-unsupported-browser-text")?c}
             };
             authenticateByWebAuthn(input);
         }, { once: true });
+        </#outputformat>
     </script>
 
     <#elseif section = "info">
diff --git a/themes/src/main/resources/theme/keycloak.v2/login/webauthn-register.ftl b/themes/src/main/resources/theme/keycloak.v2/login/webauthn-register.ftl
index 2f5c8061d19..105b6240b5a 100644
--- a/themes/src/main/resources/theme/keycloak.v2/login/webauthn-register.ftl
+++ b/themes/src/main/resources/theme/keycloak.v2/login/webauthn-register.ftl
@@ -7,7 +7,7 @@
         title
     <#elseif section = "header">
         <span class="${properties.kcWebAuthnKeyIcon!}"></span>
-        ${kcSanitize(msg("webauthn-registration-title"))?no_esc}
+        ${msg("webauthn-registration-title")}
     <#elseif section = "form">
     <div class="${properties.kcFormClass!}">
         <form id="register" action="${url.loginAction}" method="post" >
@@ -23,28 +23,30 @@
         </form>
 
         <script type="module">
+            <#outputformat "JavaScript">
             import { registerByWebAuthn } from "${url.resourcesPath}/js/webauthnRegister.js";
             const registerButton = document.getElementById('registerWebAuthn');
             registerButton.addEventListener("click", function() {
                 const input = {
-                    challenge : '${challenge}',
-                    userid : '${userid}',
-                    username : '${username}',
+                    challenge : ${challenge?c},
+                    userid : ${userid?c},
+                    username : ${username?c},
                     signatureAlgorithms : [<#list signatureAlgorithms as sigAlg>${sigAlg?c},</#list>],
-                    rpEntityName : '${rpEntityName}',
-                    rpId : '${rpId}',
-                    attestationConveyancePreference : '${attestationConveyancePreference}',
-                    authenticatorAttachment : '${authenticatorAttachment}',
-                    requireResidentKey : '${requireResidentKey}',
-                    userVerificationRequirement : '${userVerificationRequirement}',
+                    rpEntityName : ${rpEntityName?c},
+                    rpId : ${rpId?c},
+                    attestationConveyancePreference : ${attestationConveyancePreference?c},
+                    authenticatorAttachment : ${authenticatorAttachment?c},
+                    requireResidentKey : ${requireResidentKey?c},
+                    userVerificationRequirement : ${userVerificationRequirement?c},
                     createTimeout : ${createTimeout?c},
-                    excludeCredentialIds : '${excludeCredentialIds}',
-                    initLabel : "${msg("webauthn-registration-init-label")?no_esc}",
-                    initLabelPrompt : "${msg("webauthn-registration-init-label-prompt")?no_esc}",
-                    errmsg : "${msg("webauthn-unsupported-browser-text")?no_esc}"
+                    excludeCredentialIds : ${excludeCredentialIds?c},
+                    initLabel : ${msg("webauthn-registration-init-label")?c},
+                    initLabelPrompt : ${msg("webauthn-registration-init-label-prompt")?c},
+                    errmsg : ${msg("webauthn-unsupported-browser-text")?c}
                 };
                 registerByWebAuthn(input);
             },  { once: true });
+            </#outputformat>
         </script>
 
             <@buttons.actionGroup horizontal=true>