diff --git a/assets/src/legacy/map.js b/assets/src/legacy/map.js index d4a612a07e..dd2ea7437b 100644 --- a/assets/src/legacy/map.js +++ b/assets/src/legacy/map.js @@ -2950,9 +2950,8 @@ window.lizMap = function() { // Query the server $.post(globalThis['lizUrls'].service, wmsOptions, function(data) { - aCallback(data); + aCallback(Utils.sanitizeGFIContent(data)); }); - } // Get the popup content for a layer given a feature @@ -3024,8 +3023,8 @@ window.lizMap = function() { // Query the server $.post(globalThis['lizUrls'].service, wmsOptions, function(data) { - if(aCallback){ - aCallback(globalThis['lizUrls'].service, wmsOptions, data); + if (aCallback) { + aCallback(globalThis['lizUrls'].service, wmsOptions, Utils.sanitizeGFIContent(data)); } }); } diff --git a/assets/src/modules/Popup.js b/assets/src/modules/Popup.js index 597b31b73e..d03badbc6f 100644 --- a/assets/src/modules/Popup.js +++ b/assets/src/modules/Popup.js @@ -9,7 +9,7 @@ import { mainLizmap } from '../modules/Globals.js'; import Overlay from 'ol/Overlay.js'; import WMS from '../modules/WMS.js'; -import DOMPurify from 'dompurify'; +import Utils from '../modules/Utils.js'; /** * @class @@ -178,20 +178,7 @@ export default class Popup { document.getElementById('newOlMap').style.cursor = 'wait'; wms.getFeatureInfo(wmsParams).then(response => { - DOMPurify.addHook('afterSanitizeAttributes', node => { - if (node.nodeName === 'IFRAME') { - node.setAttribute('sandbox','allow-scripts allow-forms'); - } - }); - const sanitizedResponse = DOMPurify.sanitize(response, { - ADD_TAGS: ['iframe'], - ADD_ATTR: ['target'], - CUSTOM_ELEMENT_HANDLING: { - tagNameCheck: /^lizmap-/, - attributeNameCheck: /crs|bbox|edition-restricted|layerid|layertitle|uniquefield|expressionfilter|withgeometry|sortingfield|sortingorder|draggable/, - } - }); - lizMap.displayGetFeatureInfo(sanitizedResponse, { x: xCoord, y: yCoord }, evt?.coordinate); + lizMap.displayGetFeatureInfo(Utils.sanitizeGFIContent(response), { x: xCoord, y: yCoord }, evt?.coordinate); }).finally(() => { document.getElementById('newOlMap').style.cursor = 'auto'; }); diff --git a/assets/src/modules/Utils.js b/assets/src/modules/Utils.js index 8ab201e08e..279b10248c 100644 --- a/assets/src/modules/Utils.js +++ b/assets/src/modules/Utils.js @@ -6,6 +6,7 @@ */ import { NetworkError, HttpError, ResponseError } from './Errors.js'; +import DOMPurify from 'dompurify'; /** * The main utils methods @@ -206,4 +207,20 @@ export default class Utils { const scale = resolution * inchesPerMeter * DPI * metersPerUnit; return scale; } + + static sanitizeGFIContent(content) { + DOMPurify.addHook('afterSanitizeAttributes', node => { + if (node.nodeName === 'IFRAME') { + node.setAttribute('sandbox','allow-scripts allow-forms'); + } + }); + return DOMPurify.sanitize(content, { + ADD_TAGS: ['iframe'], + ADD_ATTR: ['target'], + CUSTOM_ELEMENT_HANDLING: { + tagNameCheck: /^lizmap-/, + attributeNameCheck: /crs|bbox|edition-restricted|layerid|layertitle|uniquefield|expressionfilter|withgeometry|sortingfield|sortingorder|draggable/, + } + }); + } } diff --git a/tests/qgis-projects/tests/xss.qgs.cfg b/tests/qgis-projects/tests/xss.qgs.cfg index 9f55f9c7e2..c5c9b8ee1f 100644 --- a/tests/qgis-projects/tests/xss.qgs.cfg +++ b/tests/qgis-projects/tests/xss.qgs.cfg @@ -59,7 +59,7 @@ "atlasFeatureLabel": "description", "atlasSortField": "id", "atlasHighlightGeometry": "False", - "atlasDisplayPopup": "False", + "atlasDisplayPopup": "True", "atlasTriggerFilter": "False", "atlasDuration": 5, "atlasEnabled": "True",