From 2ca74aad0d1d22fb24e90ed3f3110190f239503f Mon Sep 17 00:00:00 2001
From: Zac Poorman <33203487+OOCAZ@users.noreply.github.com>
Date: Wed, 15 Mar 2023 12:05:30 -0600
Subject: [PATCH 1/2] pathced XSS vector through sanitizing
---
apps/SentinelWMTS/SentinelWMTS.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/SentinelWMTS/SentinelWMTS.js b/apps/SentinelWMTS/SentinelWMTS.js
index 85e9a9486..9a6a7382d 100644
--- a/apps/SentinelWMTS/SentinelWMTS.js
+++ b/apps/SentinelWMTS/SentinelWMTS.js
@@ -105,7 +105,7 @@ define(['../../src/WorldWind',
var allWmtsLayers = wmtsCapabilities.getLayers();
for (var i = 0; i < allWmtsLayers.length; i++) {
var layerItem = $('' + allWmtsLayers[i].titles[0].value + '');
- ulItem.append(layerItem);
+ ulItem.append(decodeUri(layerItem));
}
ulItem = $('');
From 4ec22e547dd19bf515ff6d28dedbf563cbf5154a Mon Sep 17 00:00:00 2001
From: Zac Poorman <33203487+OOCAZ@users.noreply.github.com>
Date: Wed, 15 Mar 2023 12:18:47 -0600
Subject: [PATCH 2/2] xss fix with ESAPI
---
apps/SentinelWMTS/SentinelWMTS.js | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/apps/SentinelWMTS/SentinelWMTS.js b/apps/SentinelWMTS/SentinelWMTS.js
index 9a6a7382d..95182a149 100644
--- a/apps/SentinelWMTS/SentinelWMTS.js
+++ b/apps/SentinelWMTS/SentinelWMTS.js
@@ -25,6 +25,7 @@
* WebWorldWind can be found in the WebWorldWind 3rd-party notices and licenses
* PDF found in code directory.
*/
+var ESAPI = require('node-esapi');
define(['../../src/WorldWind',
'../util/GoToBox',
'../util/LayersPanel',
@@ -105,7 +106,7 @@ define(['../../src/WorldWind',
var allWmtsLayers = wmtsCapabilities.getLayers();
for (var i = 0; i < allWmtsLayers.length; i++) {
var layerItem = $('' + allWmtsLayers[i].titles[0].value + '');
- ulItem.append(decodeUri(layerItem));
+ ulItem.append('url(<%=ESAPI.encoder().encodeForJS(ESAPI.encoder().encodeForURL(layerItem))%>)');
}
ulItem = $('');