|
Repo Added
|
Files
1729
|
Badge
README BADGES
|
push
github
Fix #12618: preserve and scope <style> in HTML GetFeatureInfo responses (#12632) (#12639) * Fix #12618: preserve and scope <style> in HTML GetFeatureInfo responses DOMPurify parses input as a full document, so the leading <style> block of a WMS GetFeatureInfo HTML response was hoisted into <head> and then discarded, leaving the featureInfo table unstyled. Add FORCE_BODY so the allowlisted <style> element is preserved. Since this makes the CSS-sanitizing hook load-bearing, harden it against external-resource loaders in a malicious style block: CSS backslash escapes smuggling url() past the regex (decoded first, with the full CSS whitespace terminator set), and image-set() which loads URLs without a url() token. Render the GetFeatureInfo HTML through a new ShadowHtml component (shadow root) so the preserved WMS <style> block is scoped to the identify panel instead of leaking into and restyling the whole application. HTML is still sanitized with DOMPurify before injection; the shadow root isolates CSS, it is not a script security boundary. * Apply suggestions from code review * Apply suggestion from @offtherailz * Apply suggestion from @offtherailz --------- (cherry picked from commit 1fa3ea5a7) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
35718 of 56445 branches covered (63.28%)
17 of 18 new or added lines in 3 files covered. (94.44%)
44492 of 58839 relevant lines covered (75.62%)
122.48 hits per line
| Coverage | ∆ | File | Lines | Relevant | Covered | Missed | Hits/Line | Branch Hits | Branch Misses |
|---|