Skip to content

WMS OpenLayers output: escape angle brackets in mapserv_onlineresource#7544

Open
MarkLee131 wants to merge 1 commit into
MapServer:mainfrom
MarkLee131:fix-openlayers-xss-script-breakout
Open

WMS OpenLayers output: escape angle brackets in mapserv_onlineresource#7544
MarkLee131 wants to merge 1 commit into
MapServer:mainfrom
MarkLee131:fix-openlayers-xss-script-breakout

Conversation

@MarkLee131

Copy link
Copy Markdown

GHSA-52rr-p4x5-2x6x:

The OpenLayers GetMap page (FORMAT=application/openlayers) inlines mapserv_onlineresource into a single-quoted JS string inside a <script> element. The fix for GHSA-xqj6-vjqr-33vv (edc1033) escaped only the JS single-quote, so a literal </script> in a request-controlled value (e.g. X-Forwarded-Host) still closes the script element at the HTML-parsing layer.

This encodes < and > as \u003c / \u003e after the existing JSON-string escaping, so the value cannot break out of the script block.

Adds an msautotest case (wxs/wms_openlayers_xss.map) that drives the OpenLayers output with a </script>-bearing X-Forwarded-Host and asserts the brackets come out encoded. Also extends mstestlib.py so a test can set multiple [ENV ...] variables.

The GHSA-xqj6-vjqr-33vv fix only escaped the JS quote, so a literal
</script> in a forwarded host/proto header still closed the <script>
block. Encode the angle brackets as their JavaScript unicode escapes
so the value stays a JS string and cannot break out of the element.

Add a msautotest case (wxs/wms_openlayers_xss) and make the [ENV ...]
test directive repeatable so it can set the request headers it needs.
@jmckenna jmckenna added backport branch-8-6 To backport a pull request to branch-8-6 Security labels Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport branch-8-6 To backport a pull request to branch-8-6 Security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants