Usernames conaining an email in failed login form are being escaped

[YuvalRon]

Upon switching to emails as usernames in login forms, in case of login failure I get the ${SPRING_SECURITY_LAST_USERNAME} email-username displayed with escape characters instead of the original @ . - etc'.. this is of course very user unfriendly.

I am aware of the character escaping done on SPRING_SECURITY_LAST_USERNAME attribute value due to possible XSS attacks:
https://jira.springsource.org/browse/SEC-1377
https://jira.springsource.org/browse/SEC-812

However this leaves me in kind of an odd position, where I have to choose between basic user friendliness and application security, while implementing a rather common feature which is email addresses as usernames.

It's somewhat peculiar - XSS attacks are common to all web apps not just spring security. Is it actually possible that any web app that displays the attempted username-email is vulnerable to the that attack??

I'll be happy to know if there a way to resolve this without compromising
security.

Yuval

[Rob Winch]

How are you rendering the username that it displays as the escaped values? If If you are doing this in a web page you could render without re-escaping the value by doing something like this.

Code:

<c:out value="${SPRING_SECURITY_LAST_USERNAME}" 
     escapeXml="false">

[YuvalRon]

Thanks rwinch, it solved the problem perfectly!
Yuval