generate popup contents without string concat.

[jackharrhy]

What I am changing

• Previous version of popup content generation is vulnerable to XSS attacks due to crafting raw HTML from feature properties.

How I did it

• Instead of generating the popup contents from string concatenation, generate from using document.... APIs instead
• This method of creating content, while more verbose, should not be vulnerable to XSS due to any feature content being added as innerText

How you can test it

Insert this table into the db:

CREATE TABLE xss (name varchar primary key, geom geometry, description varchar);
INSERT INTO xss VALUES ('XSS Test', 'POINT(0 0)', '<p onclick="alert(1)">click me!</p>');

Navigate to http://localhost:8000/collections/public.xss/items/XSS%20Test

On current main: notice that clicking on the popup, and then clicking on the text, will popup with an alert:

On this branch, the popup will render the true contents, and is not clickable as before:

[jackharrhy]

fyi @krishnaglodha

[krishnaglodha]

Ohh I see. This one makes more sense. Thanks a lot for clarification

[vincentsarago]

🥳 thanks @jackharrhy could you update https://github.com/developmentseed/tipg/blob/main/CHANGES.md?plain=1#L15 to add link to this PR and your name as co-author of this feature 🙏

[jackharrhy]

done @vincentsarago

[vincentsarago]

🥳