# OAuth2 consent page XSS via client application name containing malicious script - **ID:** `security/oauth2-consent-page-xss-via-client-name` - **Domain:** security - **Category:** auth_error - **Verification:** ai_generated - **Fix Rate:** 88% ## Root Cause The OAuth2 authorization server renders the client application name without proper HTML escaping on the consent page, allowing an attacker to register a client with a name containing JavaScript that executes in the user's browser. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | OAuth2 2.0 | active | — | — | | Spring Security 5.7.10 | active | — | — | | Keycloak 21.0.0 | active | — | — | | Auth0 Node.js SDK 2.42.0 | active | — | — | ## Workarounds 1. **Apply HTML entity encoding to the client application name before rendering on the consent page. In Java with Spring Security, use `HtmlUtils.htmlEscape(clientName)` in the template. For Keycloak, override the consent form template (consent.ftl) and escape `${client.clientName}` using `<#escape x as x?html>${client.clientName}`.** (90% success) ``` Apply HTML entity encoding to the client application name before rendering on the consent page. In Java with Spring Security, use `HtmlUtils.htmlEscape(clientName)` in the template. For Keycloak, override the consent form template (consent.ftl) and escape `${client.clientName}` using `<#escape x as x?html>${client.clientName}`. ``` 2. **Validate client name during registration to reject any names containing HTML tags or script characters. Use a whitelist approach: allow only alphanumeric characters, spaces, and basic punctuation. Example regex: `^[a-zA-Z0-9\s\-_\.]+$`.** (85% success) ``` Validate client name during registration to reject any names containing HTML tags or script characters. Use a whitelist approach: allow only alphanumeric characters, spaces, and basic punctuation. Example regex: `^[a-zA-Z0-9\s\-_\.]+$`. ``` 3. **Implement output encoding specifically for JavaScript contexts if the client name is used in dynamic attributes. Use a library like OWASP Java Encoder: `Encoder.forJavaScript(clientName)`.** (80% success) ``` Implement output encoding specifically for JavaScript contexts if the client name is used in dynamic attributes. Use a library like OWASP Java Encoder: `Encoder.forJavaScript(clientName)`. ``` ## Dead Ends - **Add Content-Security-Policy header to block inline scripts** — CSP does not prevent the injection itself; if the client name is rendered in a href attribute or event handler, CSP may not block it, and the script still executes in some contexts. (40% fail) - **Sanitize client name by removing all HTML tags with a simple regex** — Attackers can bypass regex-based sanitization with obfuscated payloads (e.g., using Unicode characters or event handlers like onerror). (35% fail) - **Use a WAF to filter malicious client names during registration** — WAF rules are often bypassed by encoding the payload (e.g., base64 or URL encoding), and the consent page still renders the name unsafely. (50% fail)