Skip to content

PB 2553: stopping XSS attacks by whitelisting#1582

Open
ltkum wants to merge 1 commit intodevelopfrom
fix-PB-2253-whitelisting-only-some-urls-for-apis
Open

PB 2553: stopping XSS attacks by whitelisting#1582
ltkum wants to merge 1 commit intodevelopfrom
fix-PB-2253-whitelisting-only-some-urls-for-apis

Conversation

@ltkum
Copy link
Copy Markdown
Contributor

@ltkum ltkum commented Apr 17, 2026

  • Issue: The api_url, wms_url and wmts_url params can currently receive any url as values, which means a malicious party could use them as an attack vector. This is especially true for api_url, which can send html back and is needed to operate that way.
  • Fix: We have made regexes which enfore a whitelist on those parameters As we need external sources html to be rendered (for the feature informations, for example), we sadly can't sanitize the html given to us without breaking a lot of currently working layers. We can only limit the sources and hope they don't provide malicious content.

Test link

@ltkum ltkum requested a review from schtibe April 17, 2026 18:37
@github-actions github-actions bot added the bug label Apr 17, 2026
- Issue:
 The api_url, wms_url and wmts_url params can currently receive any url as values, which means a malicious party could use them as an attack vector.
 This is especially true for api_url, which can send html back and is needed to operate that way.
- Fix:
 We have made regexes which enfore a whitelist on those parameters
 As we need external sources html to be rendered (for the feature informations, for example), we sadly can't sanitize the html given to us without breaking a lot of currently working layers. We can only limit the sources and hope they don't provide malicious content.
@ltkum ltkum force-pushed the fix-PB-2253-whitelisting-only-some-urls-for-apis branch from b4fccb7 to 4b9e83d Compare April 17, 2026 18:38
@cypress
Copy link
Copy Markdown

cypress bot commented Apr 17, 2026

web-mapviewer    Run #6529

Run Properties:  status check failed Failed #6529  •  git commit 4b9e83d343: PB 2553: stopping XSS attacks by whitelisting
Project web-mapviewer
Branch Review fix-PB-2253-whitelisting-only-some-urls-for-apis
Run status status check failed Failed #6529
Run duration 08m 31s
Commit git commit 4b9e83d343: PB 2553: stopping XSS attacks by whitelisting
Committer Martin Künzi
View all properties for this run ↗︎

Test results
Tests that failed  Failures 34
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 20
Tests that did not run due to a failure in a mocha hook  Skipped 2
Tests that passed  Passing 225
View all changes introduced in this branch ↗︎

Tests for review

Failed  3d/layers.cy.js • 10 failed tests • e2e/chrome/mobile

View Output

Test Artifacts
Test of layer handling in 3D > add layer from search bar Test Replay Screenshots
Test of layer handling in 3D > sets the opacity to the value defined in the layers URL param or menu UI Test Replay Screenshots
Test of layer handling in 3D > sets the timestamp of a layer when specified in the layers URL param Test Replay Screenshots
Test of layer handling in 3D > reorders visible layers when corresponding buttons are pressed Test Replay Screenshots
Test of layer handling in 3D > add GeoJson layer with opacity from URL param Test Replay Screenshots
Test of layer handling in 3D > removes a layer from the visible layers when the "remove" button is pressed Test Replay Screenshots
Test of layer handling in 3D > uses the 3D configuration of a layer if one exists Test Replay Screenshots
Test of layer handling in 3D > add KML layer from drawing Test Replay Screenshots
Test of layer handling in 3D > Verify layer features in 2D and 3D Test Replay Screenshots
Test of layer handling in 3D > Verify a layer with EPSG:4326(WEBMERCATOR) bounding box in 2D and 3D Test Replay Screenshots
Failed  importToolFile.cy.js • 1 failed test • e2e/chrome/mobile

View Output

Test Artifacts
The Import File Tool > Import KML file Test Replay Screenshots
Failed  geolocation.cy.js • 5 failed tests • e2e/chrome/mobile

View Output

Test Artifacts
Geolocation cypress > Test geolocation when first time activating it > Prompt the user to authorize geolocation when the geolocation button is clicked for the first time on 3D Map Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is authorized > Doesn't prompt the user if geolocation has previously been authorized on 3D Map Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is failed to be retrieved > shows an error telling the user geolocation is denied on 3D Map Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is failed to be retrieved > shows an alert telling the user geolocation is not able to be retrieved due to time out on 3D Map Test Replay Screenshots
Geolocation cypress > Test geolocation when geolocation is failed to be retrieved > shows an alert telling the user geolocation is not available for other reason on 3D Map Test Replay Screenshots
Failed  3d/transitionTo3d.cy.js • 6 failed tests • e2e/chrome/mobile

View Output

Test Artifacts
Testing transitioning between 2D and 3D > 3D toggle button > activates 3D when we click on the 3D toggle button Test Replay Screenshots
Testing transitioning between 2D and 3D > 3D toggle button > shows the users that 3D is active by changing its color Test Replay Screenshots
... > adds the 3D URL param to the URL when it is activated Test Replay Screenshots
... > correctly parses the 3D param at startup if present Test Replay Screenshots
... > parses the camera URL param correctly at app startup Test Replay Screenshots
Testing transitioning between 2D and 3D > transition to 3D > translates 2D position correctly Test Replay Screenshots
Failed  legacyParamImport.cy.js • 3 failed tests • e2e/chrome/mobile

View Output

Test Artifacts
Test on legacy param import > 3D import > transfers camera parameter from legacy URL to the new URL Test Replay Screenshots
Test on legacy param import > 3D import > transfers camera parameter from legacy URL to the new URL only heading Test Replay Screenshots
Test on legacy param import > 3D import > transfers camera parameter from legacy URL to the new URL only elevation Test Replay Screenshots

The first 5 failed specs are shown, see all 11 specs in Cypress Cloud.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant