none
How to secure custom HTML before passing it as "htmlContent" to an InfoBox Option RRS feed

  • Question

  • Hello,

    Here is an example  suggested in the official Bing 8 Docu to  use custom html in infoboxes:

    ..... //Define an HTML template for a custom infobox.
        var infoboxTemplate = '<div class="customInfobox"><div class="title">{title}</div>{description}</div>' .....

    ....//Pass the title and description into the template and pass it into the infobox as an option.
            var infobox = new Microsoft.Maps.Infobox(center, {
                htmlContent: infoboxTemplate.replace('{title}', title).replace('{description}', description)
            });....

    Is there a way in Mapping Bing v8 to sanitize (against XSS attack) the HTML produced by a server, before passing it as "htmlContent" to the infobox options ?

    Many thanks for you help.

    HK

    Thursday, October 20, 2016 11:15 AM

Answers

  • You have full control over the HTML and content that goes into the infobox. Bing Maps doesn't need to do any sanitization as it is up to you what the HTML will do. This shouldn't be an issue unless you have a way for 3rd parties to pass in the title/description information that is used by the infobox. If you do, then that is where the XSS issue is and not Bing Maps. Honestly, if someone has enough access to do XSS through the infobox, they likely already have access to all the code in your site. Its highly unlike that the infobox would be the point of origin for an XSS attack. If instead you where pulling data from a 3rd party and it included HTML and you passed it into the infobox, then XSS could occur, but at that point the issue is that the 3rd party data wasn't sanitized before it made it to the client in the first place.

    [Blog] [twitter] [LinkedIn]


    Thursday, October 20, 2016 6:22 PM
  • If you are puling in data from an unsecure location and passing it into the infobox like this, then it would be a potential XSS issue. Worth noting that every major online mapping platform supports passing HTML into infoboxes/popup windows. That said, if dangerous code is capable of making it to the infobox in your application then it likely can just as easily access the document object instead if it wanted. Basically, if your application does experience an XSS, it won't be because of the infobox.

    [Blog] [twitter] [LinkedIn]

    Monday, October 24, 2016 5:34 PM

All replies

  • You have full control over the HTML and content that goes into the infobox. Bing Maps doesn't need to do any sanitization as it is up to you what the HTML will do. This shouldn't be an issue unless you have a way for 3rd parties to pass in the title/description information that is used by the infobox. If you do, then that is where the XSS issue is and not Bing Maps. Honestly, if someone has enough access to do XSS through the infobox, they likely already have access to all the code in your site. Its highly unlike that the infobox would be the point of origin for an XSS attack. If instead you where pulling data from a 3rd party and it included HTML and you passed it into the infobox, then XSS could occur, but at that point the issue is that the 3rd party data wasn't sanitized before it made it to the client in the first place.

    [Blog] [twitter] [LinkedIn]


    Thursday, October 20, 2016 6:22 PM
  • Hello Ricky,

    Thanks for your answear but the sanitization seems not the help most against XSS attack because, after doing it, the scan of the code, with a dedicated tool is still warning against the same  risk.

    HK

    Monday, October 24, 2016 10:20 AM
  • If you are puling in data from an unsecure location and passing it into the infobox like this, then it would be a potential XSS issue. Worth noting that every major online mapping platform supports passing HTML into infoboxes/popup windows. That said, if dangerous code is capable of making it to the infobox in your application then it likely can just as easily access the document object instead if it wanted. Basically, if your application does experience an XSS, it won't be because of the infobox.

    [Blog] [twitter] [LinkedIn]

    Monday, October 24, 2016 5:34 PM
  • Ricky,

    the data to be displayed via innerHTML is coming form our app - so it is fine and secure on our Server.

    But a hacker might substitute it with malicious data while on the wire and then it is displayed by innerHTML.

    We have the problem that a client wants to see a HP Fortify scan result and this source code line is one of the bad results - loading dynamic Content (and the infobox shows content regarding the location clicked) from the Server.

    Calle

    Tuesday, November 1, 2016 4:46 PM