How to write KML and protect against cross site scripting (XSS) attack?
275 views
Skip to first unread message
Joseph Elfelt
Feb 24, 2011, 8:57:11 PM2/24/11
to kml-suppor...@googlegroups.com
Over a year ago I released a Google Map API application that can display KML files that are hosted anywhere online. I would like to have a better understanding of whether KML files can be used to launch XSS attacks and, if so, what are the recommended safeguards.
Here is an example of my application (Gmap4) displaying a KML file that I wrote. The KML file includes html tags (bold, table, links, etc) that are used in displaying the infowindows when the markers are clicked. My app can display KML files written by anyone and hosted anywhere - the files do not have to be hosted on my server.
http://www.mappingsupport.com/p/gmap4.php?q=http://www.mappingsupport.com/p/gmap4/helpfile/Stafford_Creek.kml&t=t2
Does the Google KML parser prevent KML files from being used for XSS attacks or do I need to address this issue with my own code?
In my searching I found almost no discussion of this issue.
Here is an example of my application (Gmap4) displaying a KML file that I wrote. The KML file includes html tags (bold, table, links, etc) that are used in displaying the infowindows when the markers are clicked. My app can display KML files written by anyone and hosted anywhere - the files do not have to be hosted on my server.
http://www.mappingsupport.com/p/gmap4.php?q=http://www.mappingsupport.com/p/gmap4/helpfile/Stafford_Creek.kml&t=t2
Does the Google KML parser prevent KML files from being used for XSS attacks or do I need to address this issue with my own code?
In my searching I found almost no discussion of this issue.
Josh L
Feb 28, 2011, 6:05:08 PM2/28/11
to KML Developer Support - Advanced Support for KML
Hi Joseph,
When a user loads a KML using the Google Maps v3 KmlLayer, the KML is
fetched by our servers and parsed (only if it's valid KML/GeoRSS).
It's then run through some safety filters to strip out a variety of
potential security issues (like XSS attacks) before the reprocessed
data is sent back to the end user. This is one reason things like
javascript won't run in your infowindow, even if it was in the source
KML balloon.
The same backend parsing is used when you load a KML at
http://maps.google.com?q=http://yourserver/any.kml, so you can infer
that we believe the architecture is safe in terms of potential XSS
attacks.
Cheers,
-Josh
On Feb 25, 12:57 pm, Joseph Elfelt wrote:
> Over a year ago I released a Google Map API application that can display KML
> files that are hosted anywhere online. I would like to have a better
> understanding of whether KML files can be used to launch XSS attacks and, if
> so, what are the recommended safeguards.
>
> Here is an example of my application (Gmap4) displaying a KML file that I
> wrote. The KML file includes html tags (bold, table, links, etc) that are
> used in displaying the infowindows when the markers are clicked. My app can
> display KML files written by anyone and hosted anywhere - the files do not
> have to be hosted on my server.http://www.mappingsupport.com/p/gmap4.php?q=http://www.mappingsupport...
When a user loads a KML using the Google Maps v3 KmlLayer, the KML is
fetched by our servers and parsed (only if it's valid KML/GeoRSS).
It's then run through some safety filters to strip out a variety of
potential security issues (like XSS attacks) before the reprocessed
data is sent back to the end user. This is one reason things like
javascript won't run in your infowindow, even if it was in the source
KML balloon.
The same backend parsing is used when you load a KML at
http://maps.google.com?q=http://yourserver/any.kml, so you can infer
that we believe the architecture is safe in terms of potential XSS
attacks.
Cheers,
-Josh
On Feb 25, 12:57 pm, Joseph Elfelt wrote:
> Over a year ago I released a Google Map API application that can display KML
> files that are hosted anywhere online. I would like to have a better
> understanding of whether KML files can be used to launch XSS attacks and, if
> so, what are the recommended safeguards.
>
> Here is an example of my application (Gmap4) displaying a KML file that I
> wrote. The KML file includes html tags (bold, table, links, etc) that are
> used in displaying the infowindows when the markers are clicked. My app can
> display KML files written by anyone and hosted anywhere - the files do not
Reply all
Reply to author
Forward
0 new messages