XSS: sanitize more GFI content

3liz · Nov 7, 2024 · db36c55 · db36c55
1 parent 4d5bbf1
commit db36c55
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 20 deletions.
diff --git a/assets/src/legacy/map.js b/assets/src/legacy/map.js
@@ -2950,9 +2950,8 @@ window.lizMap = function() {
 
         // Query the server
         $.post(globalThis['lizUrls'].service, wmsOptions, function(data) {
-            aCallback(data);
+            aCallback(Utils.sanitizeGFIContent(data));
         });
-
     }
 
     // Get the popup content for a layer given a feature
@@ -3024,8 +3023,8 @@ window.lizMap = function() {
 
         // Query the server
         $.post(globalThis['lizUrls'].service, wmsOptions, function(data) {
-            if(aCallback){
-                aCallback(globalThis['lizUrls'].service, wmsOptions, data);
+            if (aCallback) {
+                aCallback(globalThis['lizUrls'].service, wmsOptions, Utils.sanitizeGFIContent(data));
             }
         });
     }

diff --git a/assets/src/modules/Popup.js b/assets/src/modules/Popup.js
@@ -9,7 +9,7 @@
 import { mainLizmap } from '../modules/Globals.js';
 import Overlay from 'ol/Overlay.js';
 import WMS from '../modules/WMS.js';
-import DOMPurify from 'dompurify';
+import Utils from '../modules/Utils.js';
 
 /**
  * @class
@@ -178,20 +178,7 @@ export default class Popup {
         document.getElementById('newOlMap').style.cursor = 'wait';
 
         wms.getFeatureInfo(wmsParams).then(response => {
-            DOMPurify.addHook('afterSanitizeAttributes', node => {
-                if (node.nodeName === 'IFRAME') {
-                    node.setAttribute('sandbox','allow-scripts allow-forms');
-                }
-            });
-            const sanitizedResponse = DOMPurify.sanitize(response, {
-                ADD_TAGS: ['iframe'],
-                ADD_ATTR: ['target'],
-                CUSTOM_ELEMENT_HANDLING: {
-                    tagNameCheck: /^lizmap-/,
-                    attributeNameCheck: /crs|bbox|edition-restricted|layerid|layertitle|uniquefield|expressionfilter|withgeometry|sortingfield|sortingorder|draggable/,
-                }
-            });
-            lizMap.displayGetFeatureInfo(sanitizedResponse, { x: xCoord, y: yCoord }, evt?.coordinate);
+            lizMap.displayGetFeatureInfo(Utils.sanitizeGFIContent(response), { x: xCoord, y: yCoord }, evt?.coordinate);
         }).finally(() => {
             document.getElementById('newOlMap').style.cursor = 'auto';
         });

diff --git a/assets/src/modules/Utils.js b/assets/src/modules/Utils.js
@@ -6,6 +6,7 @@
  */
 
 import { NetworkError, HttpError, ResponseError } from './Errors.js';
+import DOMPurify from 'dompurify';
 
 /**
  * The main utils methods
@@ -206,4 +207,20 @@ export default class Utils {
         const scale = resolution * inchesPerMeter * DPI * metersPerUnit;
         return scale;
     }
+
+    static sanitizeGFIContent(content) {
+        DOMPurify.addHook('afterSanitizeAttributes', node => {
+            if (node.nodeName === 'IFRAME') {
+                node.setAttribute('sandbox','allow-scripts allow-forms');
+            }
+        });
+        return DOMPurify.sanitize(content, {
+            ADD_TAGS: ['iframe'],
+            ADD_ATTR: ['target'],
+            CUSTOM_ELEMENT_HANDLING: {
+                tagNameCheck: /^lizmap-/,
+                attributeNameCheck: /crs|bbox|edition-restricted|layerid|layertitle|uniquefield|expressionfilter|withgeometry|sortingfield|sortingorder|draggable/,
+            }
+        });
+    }
 }
diff --git a/tests/qgis-projects/tests/xss.qgs.cfg b/tests/qgis-projects/tests/xss.qgs.cfg
@@ -59,7 +59,7 @@
         "atlasFeatureLabel": "description",
         "atlasSortField": "id",
         "atlasHighlightGeometry": "False",
-        "atlasDisplayPopup": "False",
+        "atlasDisplayPopup": "True",
         "atlasTriggerFilter": "False",
         "atlasDuration": 5,
         "atlasEnabled": "True",