| While working with WMS GetFeatureInfo responses in HTML format, I've noticed that the default Freemaker templates could probably be improved in terms of security.
In practice, as far as I can see, there is no HTML escaping of feature values in the HTML produced.
Looking at the files in https://github.com/geoserver/geoserver/tree/master/src/wms/src/main/resources/org/geoserver/wms/featureinfo and, for example, content.ftl, I see:
<td>${feature.fid}</td>
<#list feature.attributes as attribute>
<#if !attribute.isGeometry>
<td>${attribute.value?string}</td>
</#if>
</#list>
Shouldn't these values be HTML encoded, to prevent _javascript_ injection for instance? Starting from version 2.3.24 (GeoServer's pom.xml in master currently refers to 2.3.18), FreeMarker supports an auto-escaping mode which seems applicable: http://freemarker.org/docs/dgui_misc_autoescaping.html. What do you think of upgrading to the latest stable version of Freemarker and escaping all data coming from feature values in HTML GetFeatureInfo? |
