XSS Injection on Custom New Universal Login Page

Problem statement

A security report about the possibility of an XSS injection on the log-out flow was received. A custom login domain with a custom new universal login page is used. With the following sample, we can see the alert triggered.



The recommendation is to add | escape in the liquid templates to avoid XSS attacks on the new universal login page. A sample is available in our documentation on how to escape the temple variables.

1 Like