Automated Test: feature-html-sanitizer-implementation

[admin-coderabbit]

This pull request was automatically created by @coderabbitai/e2e-reviewer.

Batch created pull request.

Summary by CodeRabbit

• New Features

  • Added support for Verifiable Credentials (OID4VCI) and Issuer management.
  • Added recovery codes management with usage tracking.
  • Added Organizations feature allowing users to view and manage organizations.
  • Enhanced TOTP setup flow with step-by-step instructions.
  • Added scope consent text customization for user profile, email, address, phone, and roles.

• Bug Fixes

  • Fixed HTML formatting in error and email messages across multiple languages.
  • Corrected placeholder formatting in multi-valued attribute error messages.
  • Improved message pluralization support for better internationalization.
  • Fixed anchor tag handling and HTML entity escaping in localized messages.

• Chores

  • Updated localization strings across 20+ languages.
  • Added HTML sanitization and validation dependencies.
  • Enhanced message verification tools for HTML safety validation.

[coderabbit-eval]

📝 Walkthrough

Walkthrough

This pull request introduces HTML safety validation for theme message properties, refactors TOTP setup flows into discrete steps across multiple locales, standardizes HTML email template formatting, normalizes WebAuthn error message formatting, adds new localization keys for recovery codes and verifiable credentials, and updates ICU-style pluralization patterns for message formatting.

Changes

Cohort / File(s)	Summary
HTML Safety Verification Tool misc/theme-verifier/pom.xml, misc/theme-verifier/src/main/java/org/keycloak/themeverifier/VerifyMessageProperties.java, misc/theme-verifier/src/test/java/org/keycloak/themeverifier/VerifyMessagePropertiesTest.java	Adds dependencies (owasp-java-html-sanitizer, commons-text) and implements HTML safety checks for translation properties, including normalized value comparison, HTML detection, sanitization, and anchor tag validation. Adds three new test methods with fixture files.
Test Resource Fixtures for HTML Validation misc/theme-verifier/src/test/resources/changedAnchor_*.properties, misc/theme-verifier/src/test/resources/illegalHtmlTag_*.properties, misc/theme-verifier/src/test/resources/noHtml_*.properties	Adds test resource files for validating HTML safety rules: anchor tag modifications, illegal HTML tags, and no-HTML-allowed scenarios.
Account UI Message Enhancements js/apps/account-ui/maven-resources/theme/keycloak.v3/account/messages/messages_en.properties	Adds new message keys for recovery codes (recovery-codes-number-used, recovery-codes-number-remaining, recovery-codes-generate-new-codes), verifiable credentials (oid4vci, verifiableCredentialsTitle, verifiableCredentialsDescription, and related alerts), scope consent texts, and organizations management. Updates error-invalid-multivalued-size to ICU MessageFormat with pluralization.
Admin UI Message Updates js/apps/admin-ui/maven-resources*/theme/keycloak.v2/admin/messages/messages_*.properties	Updates error-invalid-multivalued-size message format to ICU pluralization style. Fixes Chinese (zh_CN) template placeholder formatting (templateHelp).
TOTP Setup Flow Refactoring themes/src/main/resources-community/theme/base/account/messages/messages_fi.properties, themes/src/main/resources-community/theme/base/account/messages/messages_sv.properties, themes/src/main/resources-community/theme/base/account/messages/messages_zh_CN.properties, themes/src/main/resources-community/theme/base/login/messages/messages_*.properties (no, lt, sk, sv)	Replaces single detailed totpStep1 message with simplified instruction and adds discrete totpStep2/Step3 messages across multiple locale files, decomposing TOTP setup into step-by-step guidance.
HTML Email Template Corrections themes/src/main/resources-community/theme/base/email/messages/messages_*.properties (da, fa, hu, lt, nl, tr, uk)	Fixes malformed HTML in email templates: corrects unclosed/mismatched paragraph tags, removes erroneous spaces in tag attributes, applies bold formatting to placeholders, and standardizes anchor href formatting.
WebAuthn Error Message Formatting themes/src/main/resources-community/theme/base/login/messages/messages_*.properties (ar, ca, cs, de, el, es, fa, fi, fr, hr, ka, ko, lt, sk, th, tr, uk, zh_CN, zh_TW), themes/src/main/resources/theme/base/login/messages/messages_en.properties	Normalizes HTML line break tags from <br/> to <br /> across four WebAuthn error messages (registration, api-get, auth-verification, register-verification) in 20+ language files.
Base Theme Admin/Login Messages themes/src/main/resources/theme/base/admin/messages/messages_en.properties, themes/src/main/resources/theme/base/login/messages/messages_en.properties	Updates error-invalid-multivalued-size to use ICU pluralization format. Normalizes WebAuthn error message HTML break tags to <br /> format.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Hoppity hop through translations so fine,
HTML safety checks keep messages in line,
TOTP steps now dance in graceful array,
While WebAuthn breaks take proper display,
Locales enhanced, recovery codes shine bright!

🚥 Pre-merge checks | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title describes the PR as an automated test for HTML sanitizer implementation, but the actual changes include substantial updates to localization files, dependency additions, and verification logic—making the title misleading about the primary scope.	Revise the title to accurately reflect the main changes, such as 'Add HTML sanitizer verification and update localization messages' or 'Implement HTML safety checks for message properties'.
Description check	⚠️ Warning	The PR description only mentions it was automatically created but provides no details about the actual changes, objectives, or context for the code modifications.	Add a substantive description explaining the purpose of HTML sanitization, which files are affected, and why these localization and dependency changes are necessary.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature-html-sanitizer-implementation

---

_{Comment @coderabbit eval help to get the list of available commands and usage tips.}

[coderabbit-eval]

Actionable comments posted: 11

🤖 Fix all issues with AI agents

In
`@js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties`:
- Line 3136: The property for key error-invalid-multivalued-size uses ICU choice
syntax which i18next in admin-ui doesn't support; either enable and configure
i18next-icu in the app or change the value for error-invalid-multivalued-size to
use i18next plural syntax by replacing the ICU choice segment with an i18next
plural expression for the third placeholder (use forms for =0, one, other) so
the correct singular/plural form is rendered at runtime.

In `@misc/theme-verifier/pom.xml`:
- Around line 75-85: Update the OWASP HTML Sanitizer dependency to a patched
release: change the owasp-java-html-sanitizer dependency (artifactId
owasp-java-html-sanitizer, groupId com.googlecode.owasp-java-html-sanitizer)
version from 20240325.1 to 20260101.1 (or later) in the pom.xml; after updating,
rebuild/resolve dependencies to ensure the new version is used and run tests
that exercise HtmlPolicyBuilder usages to confirm no regressions.

In
`@misc/theme-verifier/src/main/java/org/keycloak/themeverifier/VerifyMessageProperties.java`:
- Around line 99-111: The substring calls in VerifyMessageProperties (inside the
block checking Objects.equals(sanitized, value)) can throw
IllegalArgumentException when start + end >= value.length(); adjust the indices
before calling substring on value and sanitized: compute endIndexValue =
Math.max(start, value.length() - end) and endIndexSanitized = Math.max(start,
sanitized.length() - end) (or detect start >= value.length() - end and use an
empty string for that side), then use those safe indices in the messages.add
call so substring(start, endIndexValue) and substring(start, endIndexSanitized)
never receive start > endIndex; keep the existing start/end computation and only
guard the final substring boundaries to avoid exceptions.

In
`@themes/src/main/resources-community/theme/base/account/messages/messages_fi.properties`:
- Line 143: The property totpStep3 contains a Finnish typo: change the value
text by replacing "allaolevaan" with the correct two-word form "alla olevaan" so
the string for totpStep3 reads with "alla olevaan" instead of "allaolevaan".

In
`@themes/src/main/resources-community/theme/base/account/messages/messages_lt.properties`:
- Line 101: Replace the Italian string for totpStep1 and loginTotpStep1 with a
proper Lithuanian translation so both keys show Lithuanian during TOTP setup;
locate the entries named totpStep1 and loginTotpStep1 and change "Installa una
delle seguenti applicazioni sul tuo cellulare:" to the Lithuanian equivalent
(e.g., "Įdiekite vieną iš šių programėlių savo telefone:") in both
messages_lt.properties files.

In
`@themes/src/main/resources-community/theme/base/account/messages/messages_sv.properties`:
- Around line 96-98: The Swedish phrase for entering a key is awkward; update
the value for the properties key totpStep2 to use the correct verb form (e.g.,
replace "skriv i nyckeln" with "skriv in nyckeln" or "ange nyckeln") so the line
reads naturally when displayed to users.

In
`@themes/src/main/resources-community/theme/base/account/messages/messages_zh_CN.properties`:
- Line 112: The string for key totpStep1 uses Traditional Chinese characters
("手機", "應用程式") but this file is zh_CN; replace those words with Simplified
Chinese equivalents ("手机", "应用程序") so the totpStep1 value matches the locale and
surrounding entries.

In
`@themes/src/main/resources-community/theme/base/email/messages/messages_da.properties`:
- Line 9: Fix the typo in the message value for the key
identityProviderLinkBodyHtml: remove the stray leading "n" before "Hvis" in the
last paragraph so it reads "Hvis du ikke vil forbinde disse konti..." preserving
the rest of the HTML and placeholders unchanged.

In
`@themes/src/main/resources-community/theme/base/email/messages/messages_lt.properties`:
- Line 3: The emailVerificationBodyHtml property contains two Lithuanian typos
to fix while keeping the existing href="{0}" change: replace "Jei tao buvote"
with "Jei tai buvote" and remove the stray leading "n" so "nJei paskyros"
becomes "Jei paskyros"; ensure placeholders {0}, {1}, {2} remain unchanged in
the emailVerificationBodyHtml value.
- Line 6: The HTML message string identityProviderLinkBodyHtml is missing the
leading characters in the first word ("žas pageidauja"); update the value so the
sentence begins with "Kažkas pageidauja" to match the plain-text version (ensure
you edit the identityProviderLinkBodyHtml entry to restore the full word and
keep the existing href="{3}" and other placeholders intact).

In
`@themes/src/main/resources-community/theme/base/login/messages/messages_lt.properties`:
- Line 71: The Lithuanian localization key loginTotpStep1 currently contains
Italian text; replace the Italian string with a correct Lithuanian translation
so TOTP setup shows Lithuanian to users — update the value for loginTotpStep1 to
a Lithuanian sentence such as "Įdiekite vieną iš šių programėlių savo telefone:"
ensuring the properties file encoding is preserved.

🧹 Nitpick comments (3)

misc/theme-verifier/src/main/java/org/keycloak/themeverifier/VerifyMessageProperties.java (3)

58-63: Consider making policy factories static final constants.

These PolicyFactory instances are immutable and shared across all invocations. Using instance fields with UPPER_CASE naming is misleading since the convention implies constants.

♻️ Suggested refactor

-    PolicyFactory POLICY_SOME_HTML = new org.owasp.html.HtmlPolicyBuilder()
+    private static final PolicyFactory POLICY_SOME_HTML = new org.owasp.html.HtmlPolicyBuilder()
             .allowElements(
                     "br", "p", "strong", "b"
             ).toFactory();

-    PolicyFactory POLICY_NO_HTML = new org.owasp.html.HtmlPolicyBuilder().toFactory();
+    private static final PolicyFactory POLICY_NO_HTML = new org.owasp.html.HtmlPolicyBuilder().toFactory();

---

150-162: Typo in method name: santizeAnchors should be sanitizeAnchors.

✏️ Fix typo

-    private String santizeAnchors(String key, String value, String englishValue) {
+    private String sanitizeAnchors(String key, String value, String englishValue) {

Also update the call site at line 88:

-            value = santizeAnchors(key, value, englishValue);
+            value = sanitizeAnchors(key, value, englishValue);

---

139-143: Make HTML_TAGS pattern a static final constant.

Similar to the policy factories, this compiled Pattern is immutable and should be a static constant.

♻️ Suggested refactor

-    Pattern HTML_TAGS = Pattern.compile("<[a-z]+[^>]*>");
+    private static final Pattern HTML_TAGS = Pattern.compile("<[a-z]+[^>]*>");

[coderabbit-eval]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, let's check the file structure and understand where and how messages are used
find js/apps/admin-ui -type f -name "*.properties" | head -20

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 1542

---

🏁 Script executed:

#!/bin/bash
# Search for message formatting usage in the admin-ui
rg -n --type=ts --type=tsx --type=js --type=jsx 'formatMessage|MessageFormat|messages_en|IntlMessageFormat' js/apps/admin-ui --max-count=50

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 114

---

🏁 Script executed:

#!/bin/bash
# Look for build configuration files that might process .properties
find js/apps/admin-ui -name "pom.xml" -o -name "package.json" -o -name "webpack.config.*" -o -name "tsconfig.json" | head -20

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 211

---

🏁 Script executed:

#!/bin/bash
# Search for message formatting in admin-ui with correct file types
rg -n --type=ts --type=js 'formatMessage|MessageFormat|messages_en|IntlMessageFormat' js/apps/admin-ui --max-count=100

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 69

---

🏁 Script executed:

#!/bin/bash
# Check the package.json for formatting libraries
cat js/apps/admin-ui/package.json | grep -A 10 -B 10 '"dependencies"' | head -50

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 1464

---

🏁 Script executed:

#!/bin/bash
# Check the pom.xml to see how properties are processed
cat js/apps/admin-ui/pom.xml | head -100

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 3071

---

🏁 Script executed:

#!/bin/bash
# Look for where messages_en.properties is actually loaded/used
rg -n 'messages_en|messages\.properties|messages_' js/apps/admin-ui/src --type=ts --type=js

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 69

---

🏁 Script executed:

#!/bin/bash
# Check full package.json dependencies and devDependencies
cat js/apps/admin-ui/package.json

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 3970

---

🏁 Script executed:

#!/bin/bash
# Search for intl, i18n, or messageformat related packages more broadly
rg -n 'intl|i18n|messageformat|formatjs' js/apps/admin-ui/package.json js/apps/admin-ui/pnpm-lock.yaml 2>/dev/null | head -50

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 284

---

🏁 Script executed:

#!/bin/bash
# Check the vite config to understand how resources are handled
cat js/apps/admin-ui/vite.config.ts 2>/dev/null || cat js/apps/admin-ui/vite.config.js 2>/dev/null

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 1538

---

🏁 Script executed:

#!/bin/bash
# Search for i18next initialization and configuration
rg -n 'i18n\s*=' js/apps/admin-ui/src --type=ts --type=js -A 10 | head -100

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 770

---

🏁 Script executed:

#!/antml/bash
# Look for i18next configuration files
find js/apps/admin-ui -name "*i18n*" -o -name "*translation*" -o -name "*locale*" | head -20

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 278

---

🏁 Script executed:

#!/bin/bash
# Search for any reference to intl-messageformat in the entire repo
rg -r 'intl-messageformat|ICUFormat|Parser.*ICU' . 2>/dev/null | head -20

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 25013

---

🏁 Script executed:

#!/bin/bash
# Check main.tsx or index files to see i18next setup
cat js/apps/admin-ui/src/main.tsx

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 743

---

🏁 Script executed:

#!/bin/bash
# Read the complete i18n initialization file
cat js/apps/admin-ui/src/i18n/i18n.ts

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 1043

---

🏁 Script executed:

#!/bin/bash
# Read the translation formatter to see if custom ICU handling exists
cat js/apps/admin-ui/src/utils/translationFormatter.ts

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 419

---

🏁 Script executed:

#!/bin/bash
# Check what the label function from keycloak-ui-shared does
find . -path ./node_modules -prune -o -name "*.ts" -type f -exec grep -l "export.*label" {} \; | head -20

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 132

---

🏁 Script executed:

#!/bin/bash
# Look for keycloak-ui-shared source to understand the label function
find . -path "*keycloak-ui-shared*" -name "*.ts" -o -name "*.tsx" | head -30

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 1575

---

🏁 Script executed:

#!/bin/bash
# Check if there's any ICU or intl-messageformat usage in the shared library
rg -n 'ICU|intl-messageformat|choice' libs/keycloak-ui-shared 2>/dev/null | head -50

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 69

---

🏁 Script executed:

#!/bin/bash
# Find the label function in keycloak-ui-shared
rg -n "export.*label" js/libs/ui-shared/src --type=ts -A 5 | head -100

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 985

---

🏁 Script executed:

#!/bin/bash
# Look at the main index file of keycloak-ui-shared
cat js/libs/ui-shared/src/index.ts

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 149

---

🏁 Script executed:

#!/bin/bash
# Read the label function implementation completely
cat js/libs/ui-shared/src/user-profile/utils.ts

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 4134

---

🏁 Script executed:

#!/bin/bash
# Check if there's a main index or export file in ui-shared
ls -la js/libs/ui-shared/src/ | head -20

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 972

---

🌐 Web query:

i18next ICU MessageFormat choice syntax support

💡 Result:

i18next can use ICU MessageFormat only via a plugin such as i18next-icu, which swaps i18next’s default interpolation/plural system for FormatJS intl-messageformat parsing/formatting. [1]

What ICU “choice” syntax support means in this setup

• i18next-icu supports the ICU MessageFormat arguments that intl-messageformat supports: plural, select, and selectordinal (plus number/date/time formatting). [2]
• It does not provide Java/ICU4J-style choice formatting. In ICU/MessageFormat history, “choice” exists as a format type alongside plural/select in ICU implementations, but FormatJS’s intl-messageformat feature set is centered on plural/select/selectordinal rather than “choice”. [2][3]

What to use instead of choice

• For numeric branching, use plural (with exact matches like =0, =1, etc.). [2]
• For non-numeric branching (e.g., gender/status), use select (must include other). [2][3]

Example

"{count, plural, =0 {No items} one {One item} other {# items}}"
"{gender, select, male {He} female {She} other {They}}"

Sources
[1] i18next-icu README (uses FormatJS intl-messageformat)
[2] FormatJS intl-messageformat docs (supported: plural/select/selectordinal)
[3] ICU docs noting “choice” as a distinct format type in ICU MessageFormat implementations

---

Replace ICU choice syntax with i18next-compatible plural syntax or add i18next-icu support.

The admin-ui formatter uses i18next without the i18next-icu plugin, so the ICU choice pattern {2,choice,0#values|1#value|1<values} will render literally in the UI instead of being formatted. Either install and configure i18next-icu to enable ICU MessageFormat support, or rewrite the message using i18next's native plural syntax: {2, plural, =0 {values} one {value} other {values}}.

🤖 Prompt for AI Agents

In
`@js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties`
at line 3136, The property for key error-invalid-multivalued-size uses ICU
choice syntax which i18next in admin-ui doesn't support; either enable and
configure i18next-icu in the app or change the value for
error-invalid-multivalued-size to use i18next plural syntax by replacing the ICU
choice segment with an i18next plural expression for the third placeholder (use
forms for =0, one, other) so the correct singular/plural form is rendered at
runtime.

[coderabbit-eval]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CVE owasp-java-html-sanitizer 20240325.1 security vulnerability

💡 Result:

Vulnerability: CVE-2025-66021 (GitHub advisory GHSA-g9gq-3pfx-2gw2) affects OWASP Java HTML Sanitizer (Maven com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer) version 20240325.1. [1][2]

What it is: A cross-site scripting (XSS) issue that can occur only in a specific configuration: when HtmlPolicyBuilder allows both <noscript> and <style> and uses .allowTextIn("style"). In that edge case, a crafted payload can cause script to survive sanitization and execute in the browser. [1][2]

Severity: CVSS v4 base score 8.6 (High) as reported by the CNA (GitHub). [2]

Fix / patched version: Upgrade to 20260101.1, which GitHub lists as the patched release for this advisory. [1]

Mitigation (if you can’t upgrade immediately):

• Avoid the vulnerable policy combination: don’t allow noscript, and/or don’t use allowTextIn("style") (or don’t allow style). [1][2]

Sources: GitHub Advisory Database [1], NVD [2].

---

🌐 Web query:

CVE commons-text 1.13.0 security vulnerability

💡 Result:

For Apache Commons Text 1.13.0, the well-known Commons Text RCE issue (“Text4Shell”, CVE-2022-42889) does not apply, because the affected range is Commons Text 1.5–1.9 (i.e., versions prior to 1.10.0) and the mitigation was released in 1.10.0 (safer defaults for interpolation lookups) [1][2][3].

What to do

• If you are on 1.13.0, you are already past the affected versions for CVE-2022-42889 [1][2].
• Still, follow Apache’s guidance: do not pass untrusted input into StringSubstitutor without validation/sanitization, because exploitation depends on how the API is used [1][3].

Sources
[1] Apache Commons Text Security Reports (CVE-2022-42889 applies to versions prior to 1.10.0)
[2] NVD: CVE-2022-42889 (affected versions 1.5 through 1.9; upgrade to 1.10.0+)
[3] Apache Security blog: CVE-2022-42889 details and mitigation in Commons Text 1.10.0

---

🏁 Script executed:

#!/bin/bash
# Check Maven Central for these dependencies and their latest versions

echo "=== Checking owasp-java-html-sanitizer versions ==="
curl -s "https://repo1.maven.org/maven2/com/googlecode/owasp-java-html-sanitizer/owasp-java-html-sanitizer/" | grep -oP '(20[0-9]{6}\.[0-9]+|jar|pom)' | sort -u | head -20

echo ""
echo "=== Checking commons-text versions ==="
curl -s "https://repo1.maven.org/maven2/org/apache/commons/commons-text/" | grep -oP '[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -10

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 468

---

Upgrade OWASP HTML Sanitizer to patch critical XSS vulnerability.

The dependency owasp-java-html-sanitizer:20240325.1 contains CVE-2025-66021 (GHSA-g9gq-3pfx-2gw2), a high-severity XSS vulnerability (CVSS 8.6). The vulnerability occurs in a specific policy configuration when HtmlPolicyBuilder allows both <noscript> and <style> with .allowTextIn("style"), allowing crafted payloads to bypass sanitization. Upgrade to version 20260101.1 or later.

The commons-text:1.13.0 dependency is secure and appropriate for the feature.

🤖 Prompt for AI Agents

In `@misc/theme-verifier/pom.xml` around lines 75 - 85, Update the OWASP HTML
Sanitizer dependency to a patched release: change the owasp-java-html-sanitizer
dependency (artifactId owasp-java-html-sanitizer, groupId
com.googlecode.owasp-java-html-sanitizer) version from 20240325.1 to 20260101.1
(or later) in the pom.xml; after updating, rebuild/resolve dependencies to
ensure the new version is used and run tests that exercise HtmlPolicyBuilder
usages to confirm no regressions.

[coderabbit-eval]

⚠️ Potential issue | 🟡 Minor

Potential IllegalArgumentException in substring when strings overlap.

If start + end >= value.length() (which can happen when the strings are very similar with only a small difference), the substring call value.substring(start, value.length() - end) will have start > endIndex, causing an exception.

🐛 Proposed fix to handle overlap

             if (!Objects.equals(sanitized, value)) {

                 // Strip identical characters from the beginning and the end to show where the difference is
                 int start = 0;
                 while (start < sanitized.length() && start < value.length() && value.charAt(start) == sanitized.charAt(start)) {
                     start++;
                 }
                 int end = 0;
-                while (end < sanitized.length() && end < value.length() && value.charAt(value.length() - end - 1) == sanitized.charAt(sanitized.length() - end - 1)) {
+                while (end < sanitized.length() - start && end < value.length() - start && value.charAt(value.length() - end - 1) == sanitized.charAt(sanitized.length() - end - 1)) {
                     end++;
                 }

                 messages.add("Illegal HTML in key " + key + " for file " + file + ": '" + value.substring(start, value.length() - end) + "' vs. '" + sanitized.substring(start, sanitized.length() - end) + "'");
             }

🤖 Prompt for AI Agents

In
`@misc/theme-verifier/src/main/java/org/keycloak/themeverifier/VerifyMessageProperties.java`
around lines 99 - 111, The substring calls in VerifyMessageProperties (inside
the block checking Objects.equals(sanitized, value)) can throw
IllegalArgumentException when start + end >= value.length(); adjust the indices
before calling substring on value and sanitized: compute endIndexValue =
Math.max(start, value.length() - end) and endIndexSanitized = Math.max(start,
sanitized.length() - end) (or detect start >= value.length() - end and use an
empty string for that side), then use those safe indices in the messages.add
call so substring(start, endIndexValue) and substring(start, endIndexSanitized)
never receive start > endIndex; keep the existing start/end computation and only
guard the final substring boundaries to avoid exceptions.

[coderabbit-eval]

⚠️ Potential issue | 🟡 Minor

Fix Finnish typo in instruction text.

“allaolevaan” should be “alla olevaan”.

🔧 Proposed fix

-totpStep3=Täytä saamasi kertaluontoinen koodisi allaolevaan kenttään ja paina Tallenna.
+totpStep3=Täytä saamasi kertaluontoinen koodisi alla olevaan kenttään ja paina Tallenna.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	totpStep3=Täytä saamasi kertaluontoinen koodisi allaolevaan kenttään ja paina Tallenna.
	totpStep3=Täytä saamasi kertaluontoinen koodski alla olevaan kenttään ja paina Tallenna.

🤖 Prompt for AI Agents

In
`@themes/src/main/resources-community/theme/base/account/messages/messages_fi.properties`
at line 143, The property totpStep3 contains a Finnish typo: change the value
text by replacing "allaolevaan" with the correct two-word form "alla olevaan" so
the string for totpStep3 reads with "alla olevaan" instead of "allaolevaan".

[coderabbit-eval]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, verify the file exists and check its structure
find . -name "messages_lt.properties" -type f

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 642

---

🏁 Script executed:

# Check the content around line 101
if [ -f "themes/src/main/resources-community/theme/base/account/messages/messages_lt.properties" ]; then
  echo "=== Lines 99-105 of messages_lt.properties ==="
  sed -n '99,105p' "themes/src/main/resources-community/theme/base/account/messages/messages_lt.properties"
  echo ""
  echo "=== File statistics ==="
  wc -l "themes/src/main/resources-community/theme/base/account/messages/messages_lt.properties"
fi

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 642

---

🏁 Script executed:

# Search for the Italian text pattern mentioned in the review across all locale files
echo "=== Searching for Italian text in non-Italian locale files ==="
rg -n "Installa una delle|sul tuo cellulare|seguenti applicazioni" \
  --glob '**/messages_*.properties' \
  --glob '!**/messages_it.properties' \
  -A 0 -B 0

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 473

---

🏁 Script executed:

# Also check if there's an Italian locale file to compare
echo "=== Checking for Italian locale file ==="
find . -name "messages_it.properties" -type f

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 582

---

🏁 Script executed:

# If Italian locale file exists, check line 101 there for comparison
if [ -f "themes/src/main/resources-community/theme/base/account/messages/messages_it.properties" ]; then
  echo "=== Lines 99-105 of messages_it.properties (for comparison) ==="
  sed -n '99,105p' "themes/src/main/resources-community/theme/base/account/messages/messages_it.properties"
fi

Repository: admin-coderabbit/coderabbit-keycloak-mirror

Length of output: 297

---

Critical localization error: Italian text in Lithuanian locale files.

The value for totpStep1 contains Italian text ("Installa una delle seguenti applicazioni sul tuo cellulare:") instead of Lithuanian. This breaks the user experience for Lithuanian users, who will see mixed languages during TOTP setup (Italian for step 1, Lithuanian for steps 2-3).

The same Italian text also appears in themes/src/main/resources-community/theme/base/login/messages/messages_lt.properties at line 71 under loginTotpStep1.

🌍 Proposed fix with Lithuanian translation

-totpStep1=Installa una delle seguenti applicazioni sul tuo cellulare:
+totpStep1=Įdiekite vieną iš šių programėlių į savo mobilųjį telefoną:

Apply the same fix to login/messages/messages_lt.properties line 71 for loginTotpStep1.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	totpStep1=Installa una delle seguenti applicazioni sul tuo cellulare:
	totpStep1=Įdiekite vieną iš šių programėlių į savo mobilųjį telefoną:

🤖 Prompt for AI Agents

In
`@themes/src/main/resources-community/theme/base/account/messages/messages_lt.properties`
at line 101, Replace the Italian string for totpStep1 and loginTotpStep1 with a
proper Lithuanian translation so both keys show Lithuanian during TOTP setup;
locate the entries named totpStep1 and loginTotpStep1 and change "Installa una
delle seguenti applicazioni sul tuo cellulare:" to the Lithuanian equivalent
(e.g., "Įdiekite vieną iš šių programėlių savo telefone:") in both
messages_lt.properties files.

[coderabbit-eval]

⚠️ Potential issue | 🟡 Minor

Use Simplified Chinese wording for zh_CN.

The updated text uses Traditional characters (“手機”, “應用程式”) while this file is zh_CN and surrounding strings are Simplified. Consider using “手机 / 应用程序” to keep locale consistency.

✏️ Suggested fix

-totpStep1=在您的手機上安裝以下應用程式之一：
+totpStep1=在您的手机上安装以下应用程序之一：

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	totpStep1=在您的手機上安裝以下應用程式之一：
	totpStep1=在您的手机上安装以下应用程序之一：

🤖 Prompt for AI Agents

In
`@themes/src/main/resources-community/theme/base/account/messages/messages_zh_CN.properties`
at line 112, The string for key totpStep1 uses Traditional Chinese characters
("手機", "應用程式") but this file is zh_CN; replace those words with Simplified
Chinese equivalents ("手机", "应用程序") so the totpStep1 value matches the locale and
surrounding entries.

[coderabbit-eval]

⚠️ Potential issue | 🟡 Minor

Minor typo: "nHvis" should be "Hvis"

The HTML structure improvements look good with proper closing tags and punctuation. However, there's a typo in the last paragraph where "nHvis" should be "Hvis" (without the leading "n").

📝 Proposed fix for the typo

-identityProviderLinkBodyHtml=<p>Nogen vil forbinde din <b>{1}</b> konto med <b>{0}</b> kontoen som er tilknyttet brugeren {2}. Hvis dette var dig, bedes du klikke på forbindet herunder for at forbinde de to konti</p><p><a href="{3}">Bekræft</a></p><p>Dette link vil udløbe efter {5}.</p><p>nHvis du ikke vil forbinde disse konti, kan du bare ignore denne besked. Hvis du vælger at forbinde de to konti, kan du logge ind som {1} via {0}.</p>
+identityProviderLinkBodyHtml=<p>Nogen vil forbinde din <b>{1}</b> konto med <b>{0}</b> kontoen som er tilknyttet brugeren {2}. Hvis dette var dig, bedes du klikke på forbindet herunder for at forbinde de to konti</p><p><a href="{3}">Bekræft</a></p><p>Dette link vil udløbe efter {5}.</p><p>Hvis du ikke vil forbinde disse konti, kan du bare ignore denne besked. Hvis du vælger at forbinde de to konti, kan du logge ind som {1} via {0}.</p>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

identityProviderLinkBodyHtml=<p>Nogen vil forbinde din <b>{1}</b> konto med <b>{0}</b> kontoen som er tilknyttet brugeren {2}. Hvis dette var dig, bedes du klikke på forbindet herunder for at forbinde de to konti</p><p><a href="{3}">Bekræft</a></p><p>Dette link vil udløbe efter {5}.</p><p>nHvis du ikke vil forbinde disse konti, kan du bare ignore denne besked. Hvis du vælger at forbinde de to konti, kan du logge ind som {1} via {0}.</p>

identityProviderLinkBodyHtml=<p>Nogen vil forbinde din <b>{1}</b> konto med <b>{0}</b> kontoen som er tilknyttet brugeren {2}. Hvis dette var dig, bedes du klikke på forbindet herunder for at forbinde de to konti</p><p><a href="{3}">Bekræft</a></p><p>Dette link vil udløbe efter {5}.</p><p>Hvis du ikke vil forbinde disse konti, kan du bare ignore denne besked. Hvis du vælger at forbinde de to konti, kan du logge ind som {1} via {0}.</p>

🤖 Prompt for AI Agents

In
`@themes/src/main/resources-community/theme/base/email/messages/messages_da.properties`
at line 9, Fix the typo in the message value for the key
identityProviderLinkBodyHtml: remove the stray leading "n" before "Hvis" in the
last paragraph so it reads "Hvis du ikke vil forbinde disse konti..." preserving
the rest of the HTML and placeholders unchanged.

[coderabbit-eval]

⚠️ Potential issue | 🟡 Minor

HTML href fix looks correct, but typos detected in content.

The href="{0}" fix is correct. However, there appear to be typos in the Lithuanian text:

• "Jei tao buvote" should likely be "Jei tai buvote" (typo: "tao" → "tai")
• "nJei paskyros" has a stray "n" character - should be "Jei paskyros"

These may be pre-existing issues, but consider fixing them while updating this file.

Suggested fix

-emailVerificationBodyHtml=<p>Paskyra {2} sukurta naudojant šį el. pašto adresą. Jei tao buvote Jūs, tuomet paspauskite žemiau esančią nuorodą</p><p><a href="{0}">{0}</a></p><p>Ši nuoroda galioja {1} min.</p><p>nJei paskyros nekūrėte, tuomet ignuoruokite šį laišką.</p>
+emailVerificationBodyHtml=<p>Paskyra {2} sukurta naudojant šį el. pašto adresą. Jei tai buvote Jūs, tuomet paspauskite žemiau esančią nuorodą</p><p><a href="{0}">{0}</a></p><p>Ši nuoroda galioja {1} min.</p><p>Jei paskyros nekūrėte, tuomet ignuoruokite šį laišką.</p>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	emailVerificationBodyHtml=<p>Paskyra {2} sukurta naudojant šį el. pašto adresą. Jei tao buvote Jūs, tuomet paspauskite žemiau esančią nuorodą</p><p><a href="{0}">{0}</a></p><p>Ši nuoroda galioja {1} min.</p><p>nJei paskyros nekūrėte, tuomet ignuoruokite šį laišką.</p>
	emailVerificationBodyHtml=<p>Paskyra {2} sukurta naudojant šį el. pašto adresą. Jei tai buvote Jūs, tuomet paspauskite žemiau esančią nuorodą</p><p><a href="{0}">{0}</a></p><p>Ši nuoroda galioja {1} min.</p><p>Jei paskyros nekūrėte, tuomet ignuoruokite šį laišką.</p>

🤖 Prompt for AI Agents

In
`@themes/src/main/resources-community/theme/base/email/messages/messages_lt.properties`
at line 3, The emailVerificationBodyHtml property contains two Lithuanian typos
to fix while keeping the existing href="{0}" change: replace "Jei tao buvote"
with "Jei tai buvote" and remove the stray leading "n" so "nJei paskyros"
becomes "Jei paskyros"; ensure placeholders {0}, {1}, {2} remain unchanged in
the emailVerificationBodyHtml value.

[coderabbit-eval]

⚠️ Potential issue | 🟡 Minor

HTML href fix looks correct, but text appears truncated.

The href="{3}" fix is correct. However, the text appears to be truncated:

• "žas pageidauja" is missing the beginning - should be "Kažkas pageidauja" (matching line 5's plain text version)

Suggested fix

-identityProviderLinkBodyHtml=<p>žas pageidauja susieti Jūsų <b>{1}</b> paskyrą su <b>{0}</b> {2} naudotojo paskyrą. Jei tai buvote Jūs, tuomet paspauskite žemiau esančią nuorodą norėdami susieti paskyras</p><p><a href="{3}">{3}</a></p><p>Ši nuoroda galioja {4} min.</p><p>Jei paskyrų susieti nenorite, tuomet ignoruokite šį laišką. Jei paskyras susiesite, tuomet prie {1} galėsiste prisijungti per {0}.</p>
+identityProviderLinkBodyHtml=<p>Kažkas pageidauja susieti Jūsų <b>{1}</b> paskyrą su <b>{0}</b> {2} naudotojo paskyrą. Jei tai buvote Jūs, tuomet paspauskite žemiau esančią nuorodą norėdami susieti paskyras</p><p><a href="{3}">{3}</a></p><p>Ši nuoroda galioja {4} min.</p><p>Jei paskyrų susieti nenorite, tuomet ignoruokite šį laišką. Jei paskyras susiesite, tuomet prie {1} galėsiste prisijungti per {0}.</p>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

identityProviderLinkBodyHtml=<p>žas pageidauja susieti Jūsų <b>{1}</b> paskyrą su <b>{0}</b> {2} naudotojo paskyrą. Jei tai buvote Jūs, tuomet paspauskite žemiau esančią nuorodą norėdami susieti paskyras</p><p><a href="{3}">{3}</a></p><p>Ši nuoroda galioja {4} min.</p><p>Jei paskyrų susieti nenorite, tuomet ignoruokite šį laišką. Jei paskyras susiesite, tuomet prie {1} galėsiste prisijungti per {0}.</p>

identityProviderLinkBodyHtml=<p>Kažkas pageidauja susieti Jūsų <b>{1}</b> paskyrą su <b>{0}</b> {2} naudotojo paskyrą. Jei tai buvote Jūs, tuomet paspauskite žemiau esančią nuorodą norėdami susieti paskyras</p><p><a href="{3}">{3}</a></p><p>Ši nuoroda galioja {4} min.</p><p>Jei paskyrų susieti nenorite, tuomet ignoruokite šį laišką. Jei paskyras susiesite, tuomet prie {1} galėsiste prisijungti per {0}.</p>

🤖 Prompt for AI Agents

In
`@themes/src/main/resources-community/theme/base/email/messages/messages_lt.properties`
at line 6, The HTML message string identityProviderLinkBodyHtml is missing the
leading characters in the first word ("žas pageidauja"); update the value so the
sentence begins with "Kažkas pageidauja" to match the plain-text version (ensure
you edit the identityProviderLinkBodyHtml entry to restore the full word and
keep the existing href="{3}" and other placeholders intact).

[coderabbit-eval]

⚠️ Potential issue | 🔴 Critical

Critical localization error: Italian text in Lithuanian file.

Line 71 contains Italian text ("Installa una delle seguenti applicazioni sul tuo cellulare:") in a Lithuanian localization file. Lithuanian users will see Italian instructions during TOTP setup, making the interface incomprehensible.

🌐 Proposed fix with proper Lithuanian translation

-loginTotpStep1=Installa una delle seguenti applicazioni sul tuo cellulare:
+loginTotpStep1=Įdiekite vieną iš šių programėlių į savo mobilųjį telefoną:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	loginTotpStep1=Installa una delle seguenti applicazioni sul tuo cellulare:
	loginTotpStep1=Įdiekite vieną iš šių programėlių į savo mobilųjį telefoną:

🤖 Prompt for AI Agents

In
`@themes/src/main/resources-community/theme/base/login/messages/messages_lt.properties`
at line 71, The Lithuanian localization key loginTotpStep1 currently contains
Italian text; replace the Italian string with a correct Lithuanian translation
so TOTP setup shows Lithuanian to users — update the value for loginTotpStep1 to
a Lithuanian sentence such as "Įdiekite vieną iš šių programėlių savo telefone:"
ensuring the properties file encoding is preserved.