It was brought up today that it could be possible for data providers to return HTML within name strings.
In particular, malicious tags such as <script src="attack.js" />could cause problems for browsers consuming the data who are not following security best practices (eg. using dangerouslySetInnerHTML in React).
It might be worth us stripping HTML from all fields which could be rendered in the browser.
A SQL query against WOF didn't find any HTML elements, I also tried to check OSM but didn't find any, although I don't doubt nefarious people edit OSM for this purpose.
It was brought up today that it could be possible for data providers to return HTML within name strings.
In particular, malicious tags such as
<script src="attack.js" />
could cause problems for browsers consuming the data who are not following security best practices (eg. usingdangerouslySetInnerHTML
in React).It might be worth us stripping HTML from all fields which could be rendered in the browser.
A SQL query against WOF didn't find any HTML elements, I also tried to check OSM but didn't find any, although I don't doubt nefarious people edit OSM for this purpose.