In testing nightly openfire_2017-09-28.deb it is noted that suffixing the server name with "<plaintext> causes rendering issues in the console (see attached)
The server name should be escaped on display.
The server name validation should be enhanced further to exclude special characters(RFC1035 defined permitted characters and syntax).
This is a security concern but low risk. It may be an issue if combined with other security issues. e.g. It is noted many of the set-up screen values are also vulnerable to CSRF currently, but will raise separate tickets for those issues.
Specifically on the server-properties.jsp I have
xmpp.fqdn | debian2.surevine.net<plaintext> |
This corrupts the index.jsp page.
xmpp.domain similarly affected on index.jsp.
These properties also need escaping on dns-check.jsp and presumably elsewhere in the Admin console.