From 6ca18deed7152c3cc2ad94bb1d9758039bbafe07 Mon Sep 17 00:00:00 2001 From: Ayke Halder Date: Wed, 17 Sep 2025 15:35:11 +0200 Subject: [PATCH 1/2] Allow target attribute for anchor tags in html-sanitizer Signed-off-by: Ayke Halder --- .../theme/KeycloakSanitizerPolicy.java | 3 +++ .../keycloak/theme/KeycloakSanitizerTest.java | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/services/src/main/java/org/keycloak/theme/KeycloakSanitizerPolicy.java b/services/src/main/java/org/keycloak/theme/KeycloakSanitizerPolicy.java index deaf8ea667ef..414092b9e2ed 100644 --- a/services/src/main/java/org/keycloak/theme/KeycloakSanitizerPolicy.java +++ b/services/src/main/java/org/keycloak/theme/KeycloakSanitizerPolicy.java @@ -62,6 +62,8 @@ public class KeycloakSanitizerPolicy { private static final Pattern NAME = Pattern.compile("[a-zA-Z0-9\\-_\\$]+"); + private static final Pattern TARGET = Pattern.compile("_blank"); + private static final Pattern ALIGN = Pattern.compile( "(?i)center|left|right|justify|char"); @@ -102,6 +104,7 @@ public class KeycloakSanitizerPolicy { .allowStandardUrlProtocols() .allowAttributes("nohref").onElements("a") .allowAttributes("name").matching(NAME).onElements("a") + .allowAttributes("target").matching(TARGET).onElements("a") .allowAttributes( "onfocus", "onblur", "onclick", "onmousedown", "onmouseup") .matching(HISTORY_BACK).onElements("a") diff --git a/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java b/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java index d3e9df2338fa..cf8a049a540c 100644 --- a/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java +++ b/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java @@ -60,6 +60,27 @@ public void testEscapes() throws Exception { assertResult(expectedResult, html); } + @Test + public void testLinks() throws Exception { + List html = new ArrayList<>(); + + html.set(0, "Link text"); + expectedResult = "Link text"; + assertResult(expectedResult, html); + + html.set(0, "Link text"); + expectedResult = "Link text"; + assertResult(expectedResult, html); + + html.set(0, "Link text"); + expectedResult = "Link text"; + assertResult(expectedResult, html); + + html.set(0, "Link text"); + expectedResult = "Link text"; + assertResult(expectedResult, html); + } + @Test public void testUrls() throws Exception { List html = new ArrayList<>(); From 59df3d2bfc7b64f5fed46540db5229aa1238e910 Mon Sep 17 00:00:00 2001 From: Alexander Schwartz Date: Fri, 19 Sep 2025 08:58:10 +0200 Subject: [PATCH 2/2] Review Signed-off-by: Alexander Schwartz --- .../java/org/keycloak/theme/KeycloakSanitizerTest.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java b/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java index cf8a049a540c..db9a9f843440 100644 --- a/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java +++ b/services/src/test/java/org/keycloak/theme/KeycloakSanitizerTest.java @@ -64,8 +64,8 @@ public void testEscapes() throws Exception { public void testLinks() throws Exception { List html = new ArrayList<>(); - html.set(0, "Link text"); - expectedResult = "Link text"; + html.add("Link text"); + String expectedResult = "Link text"; assertResult(expectedResult, html); html.set(0, "Link text"); @@ -73,11 +73,11 @@ public void testLinks() throws Exception { assertResult(expectedResult, html); html.set(0, "Link text"); - expectedResult = "Link text"; + expectedResult = "Link text"; assertResult(expectedResult, html); html.set(0, "Link text"); - expectedResult = "Link text"; + expectedResult = "Link text"; assertResult(expectedResult, html); }