Severity: high
Category: security
The CCTV modal builds HTML with external camera metadata and feed URLs without escaping or validation.
Evidence:
src/layers/cctv-layer.ts:637-676 writes camera.name, camera.roadway, camera.location, and camera.feedUrl directly into feedPanel.innerHTML, including an <img src> attribute.src/layers/cctv-layer.ts:302-310 maps Windy API fields into CCTVCamera records.src/layers/cctv-layer.ts:587-596 maps NIMS API fields into CCTVCamera records.
Impact:
- a poisoned camera record can inject arbitrary markup or event attributes into the modal
- opening a camera feed can execute attacker-controlled script
- remote URLs are also inserted into image attributes without validation
Recommended fix:
- construct the modal with DOM APIs instead of
innerHTML
- assign text via
textContent
- validate feed URLs with
new URL() plus an allowlist before assigning them to img.src
Severity: high
Category: security
The CCTV modal builds HTML with external camera metadata and feed URLs without escaping or validation.
Evidence:
src/layers/cctv-layer.ts:637-676writescamera.name,camera.roadway,camera.location, andcamera.feedUrldirectly intofeedPanel.innerHTML, including an<img src>attribute.src/layers/cctv-layer.ts:302-310maps Windy API fields intoCCTVCamerarecords.src/layers/cctv-layer.ts:587-596maps NIMS API fields intoCCTVCamerarecords.Impact:
Recommended fix:
innerHTMLtextContentnew URL()plus an allowlist before assigning them toimg.src