Perhaps not really kartographer's fault, this is something that ResourceLoader should probably be sanitizing. But Kartographer should maybe be more careful in its sanitizing unrecognized input too.
Consider the following Kartographer invocation:
<mapframe width="350" height="350" zoom="13" longitude="-122.39902496337889" latitude="37.80151060070086"> { "type": "FeatureCollection", "features": [ { "type": "Feature", "properties": { "__proto__": { "marker-symbol": "hospital", "marker-color": "302060", "title": "", "description": "<img onerror=\"alert('xss!')\" src=x>" } }, "geometry": { "type": "Point", "coordinates": [ -122.41816520690917, 37.79097260220947 ] } }, ] } </mapframe>
Then click on the plus icon.
For some reason this doesn't seem to work when using <script> tags directly. I can't for the life of me figure out why. If anyone knows why it doesn't work with script, please tell me.
Kartographer does not recurse into property names it doesn't recognize during sanitation. Thus everything in "__proto__" is untouched. But browsers notice __proto__ and use it to override the object's prototype. Thus the property is taken into account as if it was directly set on the object, due to js inheritance.
- The Javascript escaping functions in Xml class, should probably ban property names starting with double underscore
- Maybe SimpleStyleSanitizer in Kartographer should rethink its decision to allow unrecognized properties through.