8000 referrerUrl in account-ui escapes query parameters incorrectly · Issue #40821 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
referrerUrl in account-ui escapes query parameters incorrectly #40821
New issue
New issue
Open
Open
referrerUrl in account-ui escapes query parameters incorrectly#40821
Labels
area/account/uikind/bugCategorizes a PR related to a bugstatus/triageteam/ui
@MalteJoe

Description

@MalteJoe
MalteJoe
opened on Jul 1, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

account/ui

Describe the bug

When navigating to the account console from our application, we use the referrer and referrer_uri query params so the user is given the option to navigate back to the page they originally came from. If the referrer_uri contains multiple query params itself (eg. http://localhost/entity/1234?mode=edit&subentity=456), the "Back to Application" link is broken as the & ampersand ist encoded as & which results in http://localhost/entity/1234?mode=edit&subentity=456 and doesn't work correctly.

Version

26.2.5

Regression

  • The issue is a regression

Expected behavior

The "Back to Application" link preserves all given query parameters correctly and clicking it navigates me to the given referrer_uri.

Actual behavior

The "Back to Application" link is broken as the & ampersand ist encoded as & which results in the link rendering as http://localhost/entity/1234?mode=edit&subentity=456 and not working correctly.

How to Reproduce?

Add the referrer and referrer_uri query params when navigating to the account-ui where referrer_uri contains multiple query params itself.

Example with referrer_uri being http://localhost/entity/1234?mode=edit&subentity=456:

http://localhost:8084/auth/realms/myrealm/account?referrer=my-app&referrer_uri=http%3A%2F%2Flocalhost%2Fentity%2F1234%3Fmode%3Dedit%26subentity%3D456

Anything else?

First debugging observations and Workaround

The AccountConsole.java reads the referrer_uri correctly and puts it into the data map to be processed by FreeMarker. The rendered index.ftl then contains the incorrectly escaped value in the environment script block. As a temporary workaround we have put "referrerUrl": "${referrer_uri?no_esc!""}", here: https://github.com/jonkoops/keycloak/blob/3c2e53136b70b7c47c266297b9e627df5b5a3194/js/apps/account-ui/maven-resources/theme/keycloak.v3/account/index.ftl#L155

Theme

Based on keycloak.v3

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/account/uikind/bugCategorizes a PR related to a bugstatus/triageteam/ui

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0