terriajs icon indicating copy to clipboard operation
terriajs copied to clipboard

Published 20 hours ago verified publisher icon TerriaJS

Form in featureInfoTemplate of WMS doesn't keep target proprieties

Open LorenzoStucchi opened this issue 2 years ago • 1 comments

The featureInfoTemplate field, if cointains a template with basic HTML with a <form> tag doesn't keep the proprieties of target filed.

See the example below, the form asks for some field and then should call the query on another page, thanks to the target="_blank" properties, however, this doesn't happen and the call is on the same page.

{
  "catalog": [
    {
      "type": "group",
      "name": "datistorici",
      "isOpen": true,
      "members": [
        {
          "type": "wms",
          "name": "datistorici",
          "url": "http://gis2.rse-web.it/geoserver/wms",
          "layers": "atlante_integrato:reticolo_tiles_3857",
          "opacity": 0.5,
          "featureInfoTemplate": {
            "template":
            "<br><p><form action=\"https://atlanteeolico.rse-web.it/AEOLIAN_richiesta_dati.php\" method=\"get\" target=\"_blank\"><table style=\"width:100%\"><tr><td><label for=\"label_id_cella\">Id cella:  </label></td><td><input type=\"text\" id=\"label_id_cella\" name=\"label_id_cella\" value={{id_tile}} readonly size=\"10\"><br></td></tr><tr><td><label for=\"label_nome\">Nome:  </label></td><td><input type=\"text\" id=\"Nome\" name=\"Nome\" size=\"27\"></td></tr><tr><td><br><label for=\"label_mail\">Mail:  </label></td><td><input type=\"text\" id=\"label_mail\" name=\"label_mail\" size=\"27\"></td></tr><tr><td>Formato file:</td><td style=\"text-align:bottom\"><br><input type=\"radio\" id=\"csv\" name=\"fav_language\" value=\"csv\"><label for=\"csv\">CSV</label> ....  <input type=\"radio\" id=\"Netcdf\" name=\"fav_language\" value=\"Netcdf\"><label for=\"Netcdf\">Netcdf</label><br><br></td></tr><tr><td><label for=\"cars\">Seleziona uno o più anni <br> (richiesto):</label></td><td><select name=\"cars\" id=\"cars\" multiple style=\"width:150px; text-align:right; margin: 0px;\"><option value=\"1990\">1990</option><option value=\"1991\">1991</option><option value=\"1992\">1992</option><option value=\"1993\">1993</option><option value=\"1994\">1994</option><option value=\"1995\">1995</option><option value=\"1996\">1996</option><option value=\"1997\">1997</option><option value=\"1998\">1998</option><option value=\"1999\">1999</option><option value=\"2000\">2000</option><option value=\"2001\">2001</option><option value=\"2002\">2002</option><option value=\"2003\">2003</option><option value=\"2004\">2004</option><option value=\"2005\">2005</option><option value=\"2006\">2006</option><option value=\"2007\">2007</option><option value=\"2008\">2008</option><option value=\"2009\">2009</option><option value=\"2010\">2010</option><option value=\"2011\">2011</option><option value=\"2012\">2012</option><option value=\"2013\">2013</option><option value=\"2014\">2014</option><option value=\"2015\">2015</option><option value=\"2016\">2016</option><option value=\"2017\">2017</option><option value=\"2018\">2018</option><option value=\"2019\">2019</option></select><br><br></td></tr><tr><td></td><td><input type=\"submit\" value=\"Avvia\"></td></tr></table></form><br></p>"
          },
          "id": "it_dati_storici",
          "initialMessage": {
            "title": "Per accedere:",
            "content": "Seleziona il punto direttamente sulla mappa.",
            "key": "it_dati_storici",
            "confirmation": true,
            "confirmText": "Avvia"
          }
        }
      ]
    }
  ],
  "homeCamera": {
    "north": 48,
    "east": 19,
    "south": 35,
    "west": 6
  },
  "baseMaps": {
    "defaultBaseMapId": "basemap-positron",
    "previewBaseMapId": "basemap-positron"
  },
  "viewerMode": "2d",
  "workbench": [
    "it_dati_storici"
  ]
}

immagine

The code in the HTML page is below and doesn't contain the target field

<form method="get" action="https://atlanteeolico.rse-web.it/AEOLIAN_richiesta_dati.php">
	<table style="width: 100%;">
		<tbody>
			<tr>
				<td>
					<label for="label_id_cella">Id cella:</label>
				</td>
				<td>
					<input size="10" readonly="" name="label_id_cella" id="label_id_cella" type="text" value="4249">
					<br>
				</td>
			</tr>
[...]
			<tr>
				<td>
				</td>
				<td>
					<input type="submit" value="Avvia">
				</td>
			</tr>
		</tbody>
	</table>
</form>

LorenzoStucchi avatar Sep 05 '22 12:09 LorenzoStucchi

Hey @LorenzoStucchi !

I believe this is due to DOMPurify stripping the target HTML attribute - https://github.com/cure53/DOMPurify/issues/317

We can fix it by adding

DOMPurify.addHook('afterSanitizeAttributes', function (node) {
  // set all elements owning target to target=_blank
  if ('target' in node) {
    node.setAttribute('target', '_blank');
    node.setAttribute('rel', 'noopener');
  }
});

Originally posted by @mparpaillon in https://github.com/cure53/DOMPurify/issues/317#issuecomment-698800327

I'm going to move this into the terriajs repo - hope that is OK 🙂

nf-s avatar Sep 06 '22 06:09 nf-s