Add HTML sanitizer for translated message resources

[ShashankFC]

User description

Test 7

Summary by CodeRabbit

Release Notes

• New Features

  • Added recovery codes display and management localization
  • Introduced attribute translation management interface
  • Added logout token configuration settings

• Improvements

  • Updated TOTP setup guidance across multiple languages
  • Fixed HTML formatting issues in email notifications and authentication error messages
  • Enhanced validation messages with context-aware pluralization

_{✏️ Tip: You can customize this high-level summary in your review settings.}

---

Replicated from ai-code-review-evaluation/keycloak-coderabbit#7

---

CodeAnt-AI Description

Add HTML sanitizer to theme verifier and fix translation HTML issues

What Changed

• The theme verifier now detects and reports illegal or altered HTML in translated message files, showing the exact differing fragment for each offending key.
• Translations are only allowed to contain HTML when the corresponding English source contains HTML; only a small set of safe tags and exact anchor tags from the English string are permitted.
• New unit tests cover duplicate keys and the new HTML checks to ensure translations with illegal tags or changed anchors are flagged.
• Multiple message resource files were corrected (fixed malformed attributes, normalized
  usage, corrected plural/choice formatting and TOTP instructions) so email and login templates no longer contain malformed HTML.

Impact

✅ Clearer illegal-HTML errors for translation reviewers
✅ Fewer malformed links and broken HTML in email/login templates
✅ Shorter localization QA loop due to automated detection

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[ShashankFC]

@CodeAnt-AI: review

[codeant-ai]

CodeAnt AI is running the review.

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review HTML + placeholders in error messages WebAuthn error messages include and placeholders (e.g. {0}). Embedding unescaped parameters directly next to HTML markup increases risk: if {0} is not sanitized, an attacker could inject markup or scripts. XSS risk in HTML-containing messages Several localized messages now include raw HTML tags (e.g. , ) combined with placeholders. If placeholders (like {0}) can contain user-controlled data and rendering uses these keys without safe-sanitization or escaping, this can lead to reflected/stored XSS when messages are rendered as HTML. Fragile English file resolution / error handling The English file path is derived with string replacements and a FileInputStream is opened directly; on failure the code throws a RuntimeException. That can cause the verifier to fail hard for unusual paths or locale suffixes; the path replacement regex may also match unintended parts. Consider more robust lookup and graceful error reporting. Strict anchor comparison Anchor matching requires the entire anchor tag string to match exactly between source and translation. Differences in attribute order, spacing, or insignificant attribute changes will be treated as violations. Also, the code removes matching anchor tags from the translation before sanitization which can hide intent or produce odd diffs. HTML detection (case-sensitivity) The HTML detection Pattern only matches lowercase tag names ("<[a-z]+[^>]*>"). This will miss tags with uppercase or mixed-case names in the English source and can therefore incorrectly decide that HTML is not present, producing false positives/negatives when validating translations. HTML Injection Several message values now contain raw HTML ( ) and also include format parameters (e.g. {0}). If the parameter values are not HTML-sanitized/escaped before insertion, this can enable XSS. Confirm the rendering pipeline sanitizes or safely marks these messages, and validate how parameters are encoded when messages are rendered. HTML in translation strings Several new WebAuthn error messages include raw HTML (" ") and an unescaped placeholder {0}. If the placeholder is filled with user-controlled content and rendered without sanitization, this can lead to XSS or UI issues. Validate rendering path and ensure placeholders are escaped or sanitized. HTML in translation strings Added WebAuthn error strings contain inline HTML (" ") with {0} placeholders. Confirm that output is rendered safely and consistently (escape/sanitize {0} or avoid HTML in translations). HTML Injection Translations include raw ' ' tags together with format placeholders. Verify that these translations are only rendered in safe contexts or that parameter substitution is sanitized to avoid cross-site scripting. HTML Injection Same pattern as other locales: raw ' ' in translated strings. Ensure consistent handling of HTML across locales and that the UI sanitizes parameter content prior to insertion.

[codeant-ai]

Suggestion: The value for the totpStep1 message is in Italian instead of Lithuanian, which will present users of the Lithuanian locale with a message in the wrong language; this should be corrected to a Lithuanian, HTML-free equivalent of the original text. [logic error]

Severity Level: Major ⚠️

- ⚠️ Lithuanian TOTP setup screen shows Italian instruction text.
- ⚠️ Confusing two-factor setup guidance for Lithuanian-speaking users.

Suggested change

	totpStep1=Installa una delle seguenti applicazioni sul tuo cellulare:
	totpStep1=Įdiekite vieną iš šių programėlių į savo mobilųjį telefoną:

Steps of Reproduction ✅

1. Deploy this PR build of Keycloak with the community base theme enabled so that it uses
`themes/src/main/resources-community/theme/base/account/messages/messages_lt.properties`
for Lithuanian locale messages (file verified via Grep at line 101).

2. In a browser, switch the account console UI to Lithuanian (lt) locale so that messages
are loaded from `messages_lt.properties`.

3. From the user account console, navigate to the authenticator setup flow and start
configuring a mobile TOTP authenticator; the server resolves and renders the `totpStep1`
message key from `messages_lt.properties:101`.

4. Observe that the first TOTP setup instruction displayed to the user is the Italian text
"Installa una delle seguenti applicazioni sul tuo cellulare:" instead of Lithuanian, while
neighbouring messages `totpStep2` and `totpStep3` in the same file are correctly localized
in Lithuanian.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** themes/src/main/resources-community/theme/base/account/messages/messages_lt.properties
**Line:** 101:101
**Comment:**
	*Logic Error: The value for the `totpStep1` message is in Italian instead of Lithuanian, which will present users of the Lithuanian locale with a message in the wrong language; this should be corrected to a Lithuanian, HTML-free equivalent of the original text.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

Suggestion: The Lithuanian TOTP setup instruction message is now in Italian, which is a localization bug that will confuse users of this locale; it should remain in Lithuanian while removing the HTML links, preserving the original meaning. [possible bug]

Severity Level: Major ⚠️

- ⚠️ Lithuanian TOTP setup shows Italian text, confusing users.
- ⚠️ Inconsistent localization on TOTP configuration page for lt locale.

Suggested change

	loginTotpStep1=Installa una delle seguenti applicazioni sul tuo cellulare:
	loginTotpStep1=Įdiekite FreeOTP arba Google Authenticator savo įrenginyje. Programėlės prieinamos Google Play ir Apple App Store.

Steps of Reproduction ✅

1. Run the Keycloak server built from this PR and enable the base login theme that uses
the localized message bundles under
`themes/src/main/resources-community/theme/base/login/messages/`.

2. Configure a realm or browser locale to Lithuanian (`lt`), which causes Keycloak to load
`messages_lt.properties` for login messages; this file contains `loginTotpStep1` at line
71 as shown in the PR final state.

3. Log in with a user who is required to configure TOTP; the TOTP configuration page
template `themes/src/main/resources/theme/base/login/login-config-totp.ftl:10` (and
`themes/src/main/resources/theme/keycloak.v2/login/login-config-totp.ftl:12`) renders
`<p>${msg("loginTotpStep1")}</p>`, pulling the value from `messages_lt.properties`.

4. Observe that the first TOTP setup instruction on the page is displayed in Italian
(`"Installa una delle seguenti applicazioni sul tuo cellulare:"`) instead of Lithuanian,
while other locales (e.g. Italian at `messages_it.properties:92`) show this sentence in
their correct language; this confirms a localization bug specific to the Lithuanian
bundle, not an intentional design.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** themes/src/main/resources-community/theme/base/login/messages/messages_lt.properties
**Line:** 71:71
**Comment:**
	*Possible Bug: The Lithuanian TOTP setup instruction message is now in Italian, which is a localization bug that will confuse users of this locale; it should remain in Lithuanian while removing the HTML links, preserving the original meaning.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

CodeAnt AI finished running the review.