Severity: high
Category: security
showEntityInfo() interpolates untrusted values directly into innerHTML. Multiple callers pass remote feed fields straight into that API without escaping.
Evidence:
src/ui/entity-info-panel.ts:44-73 writes info.title, info.subtitle, f.label, and f.value into innerHTML.src/layers/aircraft-layer.ts:560-576 passes live ADS-B values such as callsign, country, type, and registration directly into the panel.- The same shared panel is also used by other live-feed layers such as satellites, military, maritime, alerts, and EONET.
Impact:
- a malicious upstream feed value can inject markup with event handlers
- opening the entity panel can execute script in the app origin
- that compromises the page and any localhost APIs it can reach
Recommended fix:
- build the panel with DOM nodes and
textContent instead of HTML strings
- sanitize any field that must intentionally support markup
- treat all provider-fed strings as untrusted input
Severity: high
Category: security
showEntityInfo()interpolates untrusted values directly intoinnerHTML. Multiple callers pass remote feed fields straight into that API without escaping.Evidence:
src/ui/entity-info-panel.ts:44-73writesinfo.title,info.subtitle,f.label, andf.valueintoinnerHTML.src/layers/aircraft-layer.ts:560-576passes live ADS-B values such as callsign, country, type, and registration directly into the panel.Impact:
Recommended fix:
textContentinstead of HTML strings