bad-username.message in messages.properties
cantor.2 at osu.edu
Tue Nov 13 08:53:49 EST 2018
> I think it's getting encoded as a string by the
> $encoder.encodeForHTML($message) in login-error.vm. Try changing it to just
> $message. I'm not sure what the collateral damage of that is, if any, so you
> might want to wrap that in an if clause to trap just this one message type.
Look at whatever is setting $message, and if it's possible for that to be unsanitized (i.e. not controlled directly from a message property) then that's basically suicide. You can change the template to deal with these conditions, but not blindly, that's a deployer responsibility.
More information about the users