Announcement Announcement Module
Collapse
No announcement yet.
Usernames conaining an email in failed login form are being escaped Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Usernames conaining an email in failed login form are being escaped

    Upon switching to emails as usernames in login forms, in case of login failure I get the ${SPRING_SECURITY_LAST_USERNAME} email-username displayed with escape characters instead of the original @ . - etc'.. this is of course very user unfriendly.

    I am aware of the character escaping done on SPRING_SECURITY_LAST_USERNAME attribute value due to possible XSS attacks:
    https://jira.springsource.org/browse/SEC-1377
    https://jira.springsource.org/browse/SEC-812

    However this leaves me in kind of an odd position, where I have to choose between basic user friendliness and application security, while implementing a rather common feature which is email addresses as usernames.

    It's somewhat peculiar - XSS attacks are common to all web apps not just spring security. Is it actually possible that any web app that displays the attempted username-email is vulnerable to the that attack??

    I'll be happy to know if there a way to resolve this without compromising
    security.

    Yuval

  • #2
    How are you rendering the username that it displays as the escaped values? If If you are doing this in a web page you could render without re-escaping the value by doing something like this.

    Code:
    <c:out value="${SPRING_SECURITY_LAST_USERNAME}" 
         escapeXml="false">

    Comment


    • #3
      Thanks rwinch, it solved the problem perfectly!
      Yuval

      Comment

      Working...
      X