Problem statement
A security report about the possibility of an XSS injection on the log-out flow was received. A custom login domain with a custom new universal login page is used. With the following sample, we can see the alert triggered.
https://[CUSTOM_LOGIN_DOMAIN/v2/logout?returnTo=%22%3E%3Cscript%3Ealert(%22Hello%20Attacker%22)%3C/script%3E%3C%3Ehttps://APP_DOMAIN.com
Solution
The recommendation is to add | escape
in the liquid templates to avoid XSS attacks on the new universal login page. A sample is available in our documentation on how to escape the temple variables.