def testJsonXssVulnerability(self):
"""Verifies that ToHtmlSafeJson is safe against XSS."""
self.assertFalse(
'</script>' in base_handler.ToHtmlSafeJson('x</script>y'))
self.assertFalse('<' in base_handler.ToHtmlSafeJson('x<y'))
self.assertFalse('>' in base_handler.ToHtmlSafeJson('x>y'))
self.assertFalse('&' in base_handler.ToHtmlSafeJson('x&y'))
def Get(self, map_id, domain=None): # pylint: disable=g-bad-name
"""Displays a map in draft mode by its map ID."""
map_object = model.Map.Get(map_id)
if not map_object:
raise base_handler.Error(404, 'Map %r not found.' % map_id)
if not domain or domain != map_object.domain:
# The canonical URL for a map contains both the domain and the map ID.
url = '../%s/.maps/%s' % (map_object.domain, map_id)
if self.request.GET: # preserve query params on redirect
url += '?' + urllib.urlencode(self.request.GET.items())
return self.redirect(url)
cm_config = GetConfig(self.request, map_object=map_object,
xsrf_token=self.xsrf_token)
# SECURITY NOTE: cm_config_json is assumed to be safe JSON, and head_html
# is assumed to be safe HTML; all other template variables are autoescaped.
# TODO(kpy): Factor out the bits common to MapByLabel.Get and MapById.Get.
self.response.out.write(self.RenderTemplate('map.html', {
'maps_api_url': cm_config.pop('maps_api_url', ''),
'head_html': cm_config.pop('custom_head_html', ''),
'lang': cm_config['lang'],
'lang_lower': cm_config['lang'].lower().replace('-', '_'),
'cm_config_json': base_handler.ToHtmlSafeJson(cm_config)
}))
def Get(self, label, domain=None): # pylint: disable=g-bad-name
"""Displays a published map by its domain and publication label."""
domain = domain or config.Get('primary_domain') or ''
entry = model.CatalogEntry.Get(domain, label)
if not entry:
# Fall back to the map list for users that go to /crisismap/maps.
# TODO(kpy): Remove this when the UI has a way to get to the map list.
if label == 'maps':
return self.redirect('.maps')
raise base_handler.Error(404, 'Label %s/%s not found.' % (domain, label))
cm_config = GetConfig(self.request, catalog_entry=entry,
xsrf_token=self.xsrf_token)
map_root = cm_config.get('map_root', {})
# SECURITY NOTE: cm_config_json is assumed to be safe JSON, and head_html
# is assumed to be safe HTML; all other template variables are autoescaped.
# Below, we use cm_config.pop() for template variables that aren't part of
# the API understood by google.cm.Map() and don't need to stay in cm_config.
self.response.out.write(self.RenderTemplate('map.html', {
'maps_api_url': cm_config.pop('maps_api_url', ''),
'head_html': cm_config.pop('custom_head_html', ''),
'lang': cm_config['lang'],
'lang_lower': cm_config['lang'].lower().replace('-', '_'),
'json_proxy_url': cm_config['json_proxy_url'],
'maproot_url': cm_config.pop('maproot_url', ''),
'map_title': map_root.get('title', '') + ' | Google Crisis Map',
'map_description': ToPlainText(map_root.get('description')),
'map_url': self.request.path_url,
'map_image': map_root.get('thumbnail_url', ''),
'cm_config_json': base_handler.ToHtmlSafeJson(cm_config)
}))