Overview
When customizing error templates in Universal Login, developers often use the error_description variable to display error messages. However, this variable can contain unsafe content, potentially leading to cross-site scripting (XSS) vulnerabilities. This article provides a safe way to use error_description.
Applies To
- Auth0 Universal Login
- Custom error pages in Auth0
Cause
The error_description variable is dynamically populated and may contain user-controlled input. If not sanitized properly, it could be exploited to inject and execute malicious scripts within the error page, leading to security risks such as phishing attacks or data exposure.
Solution
To mitigate this risk, apply Liquid filters to sanitize the error_description variable before rendering it in the template. Use the escape and strip_html filters to remove potentially harmful content:
<span>{{ error_description | escape | strip_html }}</span>
- escape ensures that special characters are properly encoded, preventing script execution.
- strip_html removes any existing HTML tags from the error message.
This approach effectively reduces the risk of XSS attacks while preserving the usability of the error message.
Additionally, to suggest that Auth0 implement built-in sanitization for this variable at the backend, please submit a feature request here: Auth0: Secure access for everyone. But not just anyone..