search

wiedehopf / tar1090

Provides an improved webinterface for use with ADS-B decoders readsb / dump1090-fa
Other
1.25k stars 235 forks source link

Support share links on local installs and switch the parameter building to URLSearchParams #150

Closed lart2150 closed 2 years ago

lart2150 commented 2 years ago
wiedehopf commented 2 years ago

What is this injection stuff you're talking about?

URLSearchParams is encoding a colon i use for some human readable times in the URL, the colons work fine i'd rather not encode them.

lart2150 commented 2 years ago

I don't know if it there is a real attack vector but if you somehow got a plane icao with the value "abc&a=b" it would inject a=b into the search param or if the value was "abc#" none of the extra parameters would work.

I could switch it to use encodeURIComponent instead of URLSearchParams. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent

wiedehopf commented 2 years ago

Yeah i don't see how any of this is really an attack vector. Honestly building the string manually suits me very well as i REALLY like human readable URLs.

The ordering was also specifically selected for example for https://globe.adsbexchange.com/?replay As well as for https://globe.adsbexchange.com/?icao=ad6df0&lat=40.502&lon=-74.366&zoom=8.0&showTrace=2021-09-26

At least for the somewhat advanced user it should be obvious what it does and how to manipulate it to do what you want.

Can you split out the shareURL stuff and just keep the old boring string building i'm doing? Or figure out how to keep the colons and the order (in every browser) ... not sure if that's even possible or worth the effort. If someone gives you a bad link ... someone gives you a bad link, much more dangerous things than creating a broken adsbexchange link. Icaos don't have = in them, i can guarantee that from the javascript.

Sorry to be insistent about this, it's really a nice cleanup but if it doesn't keep the existing intent of the code i can't use it.

lart2150 commented 2 years ago

I get it. I changed it to be much closer to how it originally was.

wiedehopf commented 2 years ago

Also fixed /?replay for non 60 second intervals. I'd highly recommend something like

                --heatmap 18 \                                                                                                          
                --json-trace-interval 20 \

It records nice data for /?replay