KML Data HTML being stripped

[burnin...@gmail.com]

I'm confused how to get HTML to render correctly when being loaded from a KML file. I have a KML file with Placemarks, and they have descriptions with links, line breaks, etc. When the data is loaded using

var kml_layer = Cesium.KmlDataSource.load(url);
viewer.dataSources.add(kml_layer);

All of the HTML is stripped out in the description, leaving the infobox unable to render any of it. I have tried just overwriting the description with some HTML, and that renders correctly in the infobox, so it isn't a problem with infobox. The only thing that seems to work is to wrap the description in <![CDATA[]]>, but since I'll be loading the files externally, I don't want/can't do that.

How do I get the KML data loader to not strip out html?

[Rachel Hwang]

Hi there,

The two approaches are 

1. Wrap the HTML in CDATA

2. Escape your HTML string properly

Otherwise it's not valid KML/XML!

Hope that helps,

- Rachel

[Matthew Amato]

burningwolf96, are you the burn123 on Github that posted the sample here as well: https://github.com/AnalyticalGraphicsInc/cesium/issues/873#issuecomment-306791932?

If so, let's continue that conversation here.

Rachel is correct, HTML inside of XML needs to be properly escaped.  I am curious if your existing KML works as expected in Google Earth (it might because GE likes to allow "bad" files, but we might not have that option since we need to rely on the browser for parsing).

I'll check out the samples you posted and let you know.

--
You received this message because you are subscribed to the Google Groups "cesium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cesium-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[burnin...@gmail.com]

I am the same! Thanks for your help. Also, is it possible to have HTML in the title of the info box? The names of the data have links in them, and I would like to keep them

[burnin...@gmail.com]

I would like to mention that my title is wrapped in CDATA

[Rachel Hwang]

Hi there,

Check out this existing thread on the same subject: https://groups.google.com/forum/?hl=en#!searchin/cesium-dev/HTML$20infobox%7Csort:relevance/cesium-dev/mH_w6Q6A-ig/10MXwA57CE8J

Hope that helps!

- Rachel

[burnin...@gmail.com]

I don't see anything about HTML in the title of the infobox, only the description

[Rachel Hwang]

Modifying the title styling should be very similar, only the text is set with entity.name. As mentioned in that thread, you can also modify the infobox css to your liking. Modify: /Widgets/InfoBox/InfoBoxDescription.css

Hope that helps,

- Rachel

[burnin...@gmail.com]

So just having the title set with CDATA won't work? Because that isn't working for me currently

[Matthew Amato]

First, to answer your direct question, the name tag used for the title gets treated as text and not HTML.  This is due to the use of the `text:` binding on this line https://github.com/AnalyticalGraphicsInc/cesium/blob/master/Source/Widgets/InfoBox/InfoBox.js#L53 if you change `text:` to `html:`, then the name would work as you desired.  If you're feeling bold, you can clone the Cesium repository and make this change yourself to try it out. (Here's our build guide: https://github.com/AnalyticalGraphicsInc/cesium/tree/master/Documentation/Contributors/BuildGuide)

Now for the big picture: Allowing KML (or any other external data source) to inject arbitrary HTML into a web application is actually a major security hole.  This is why Cesium uses iframe sandboxing and text bindings instead of html.  Our goal is "secure by default" so the infobox does not allow any HTML or JavaScript out of the box.  For developers that need this functionality and understand the risk (or will be in total control of any data that gets loaded), the iframe sandboxing can be disabled and HTML and JavaScript descriptions will work as-expected.  However. you are the first person to ever request the ability to we allow HTML for the entity.name and title itself.  Since I already mentioned above that this is an easy change, I wrote up https://github.com/AnalyticalGraphicsInc/cesium/issues/5446 so that we address this in the future.  If you are interested in contributing the change, we'd be happy to look at a pull request.

On Thu, Jun 8, 2017 at 6:18 PM, <burnin...@gmail.com> wrote:

So just having the title set with CDATA won't work? Because that isn't working for me currently

[burnin...@gmail.com]

That does make sense, and I do understand your logic for most use cases, but since this will be an internal application, we aren't really concerned with these sorts of security flaws.

Changing that line did work, thank you! I feel that this could be changed through a simple property in the viewer, or some 1 line of code that changes this.