A security report about an XSS injection possibility on the log-out flow was received. A custom login domain with a custom new universal login page is being used. With the following sample, we can see the alert triggered:

https://[CUSTOM_LOGIN_DOMAIN/v2/logout?returnTo=%22%3E%3Cscript%3Ealert(%22Hello%20Attacker%22)%3C/script%3E%3C%3Ehttps://APP_DOMAIN.com

• Custom New Universal Login Page
• XSS Injection

It is recommended to add | escape  in the liquid templates to avoid XSS attacks on the new universal login page. A sample is available in our documentation on how to escape the temple variables.