Improve XSS security (#953)

jcary741 · Jay Cary · vincentsarago · web-flow · commit dd773230e1d9 · 2024-07-31T14:55:48.000+02:00
* improve XSS security

* update changelog

---------

Co-authored-by: Jay Cary &lt;jay@chloris.earth&gt;
Co-authored-by: vincentsarago &lt;vincent.sarago@gmail.com&gt;
diff --git a/CHANGES.md b/CHANGES.md
@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+* Improve XSS security for HTML templates (author @jcary741, https://github.com/developmentseed/titiler/pull/953)
+
 * Encode URL for cog_viewer and stac_viewer (author @guillemc23, https://github.com/developmentseed/titiler/pull/961)
 
 * Remove all default values to the dependencies
diff --git a/docs/src/benchmark.html b/docs/src/benchmark.html
@@ -103,8 +103,9 @@
       <div class="spacer"></div>
       <div class="small">Powered by <a rel="noopener" href="https://github.com/marketplace/actions/continuous-benchmark">github-action-benchmark</a></div>
     </footer>
-
-    <script src="https://cdn.jsdelivr.net/npm/chart.js@2.9.2/dist/Chart.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.9.2/Chart.min.js"
+            integrity="sha512-uWTfEVcTAr+NF8RnQix39Vnfd93celVTAjU2pi4LpdrsPLeLg5RYywi5rw9oF8oCQaJ6b2YPALceNbf3kfDJaA=="
+            crossorigin="anonymous" referrerpolicy="no-referrer"></script>
     <script id="main-script">
     'use strict';
       (function() {
diff --git a/src/titiler/application/titiler/application/templates/index.html b/src/titiler/application/titiler/application/templates/index.html
@@ -4,7 +4,9 @@
     <title>{{ template.title }}</title>
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
-    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.5.3/css/bootstrap.min.css" />
+      <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/4.5.3/css/bootstrap.min.css"
+            integrity="sha512-oc9+XSs1H243/FRN9Rw62Fn8EtxjEYWHXRvjS43YtueEewbS6ObfXcJNyohjHqVKFPoXXUxwc+q1K7Dee6vv9g=="
+            crossorigin="anonymous" referrerpolicy="no-referrer"/>
     <style>
       html { position: relative; min-height: 100%; }
       body { padding-top: 5rem; margin-bottom: 40px; }
@@ -19,8 +21,12 @@
         display: inline;
       }
     </style>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
-    <script src="https://files.dnr.state.mn.us/lib/bootstrap4/javascripts/bootstrap.min.js"></script>
+      <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"
+              integrity="sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ=="
+              crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+      <script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/4.5.3/js/bootstrap.min.js"
+              integrity="sha512-8qmis31OQi6hIRgvkht0s6mCOittjMa9GMqtK9hes5iEQBQE/Ca6yGE5FsW36vyipGoWQswBj/QBm2JR086Rkw=="
+              crossorigin="anonymous" referrerpolicy="no-referrer"></script>
   </head>
   <body>
     <nav class="navbar navbar-expand-md navbar-light fixed-top bg-light">
diff --git a/src/titiler/core/titiler/core/templates/map.html b/src/titiler/core/titiler/core/templates/map.html
@@ -4,10 +4,18 @@
         <meta charset='utf-8' />
         <title>TiTiler Map Viewer</title>
         <meta name='viewport' content='initial-scale=1,maximum-scale=1,user-scalable=no' />
-        <link rel="stylesheet" href="https://unpkg.com/leaflet@1.9.3/dist/leaflet.css"/>
-        <script src="https://unpkg.com/leaflet@1.9.3/dist/leaflet.js"></script>
-        <script src="https://unpkg.com/proj4@2.3.14/dist/proj4.js"></script>
-        <script src="https://unpkg.com/proj4leaflet@1.0.2/src/proj4leaflet.js"></script>
+        <link rel="stylesheet" href="https://unpkg.com/leaflet@1.9.3/dist/leaflet.css"
+              integrity="sha384-o/2yZuJZWGJ4s/adjxVW71R+EO/LyCwdQfP5UWSgX/w87iiTXuvDZaejd3TsN7mf"
+              crossorigin="anonymous"/>
+        <script src="https://unpkg.com/leaflet@1.9.3/dist/leaflet.js"
+                integrity="sha384-okbbMvvx/qfQkmiQKfd5VifbKZ/W8p1qIsWvE1ROPUfHWsDcC8/BnHohF7vPg2T6"
+                crossorigin="anonymous"></script>
+        <script src="https://unpkg.com/proj4@2.3.14/dist/proj4.js"
+                integrity="sha384-R7x++v2MKcATI+D1/GJsn636xbHca492Sdpm8BD36lj5vdWB9+OUBpM1oKkrzqv9"
+                crossorigin="anonymous"></script>
+        <script src="https://unpkg.com/proj4leaflet@1.0.2/src/proj4leaflet.js"
+                integrity="sha384-aDnBHDK9AhLbrYhThBxEVMriFbix8Sz2059IlD3HbZhz7+WNmz+pSkOcI7MY72cE"
+                crossorigin="anonymous"></script>
         <style>
             body { margin:0; padding:0; width:100%; height:100%; background-color: #e5e5e5;}
             #map { position:absolute; top:0; bottom:0; width:100%; }
diff --git a/src/titiler/extensions/titiler/extensions/templates/cog_viewer.html b/src/titiler/extensions/titiler/extensions/templates/cog_viewer.html
@@ -4,13 +4,20 @@
     <meta charset='utf-8' />
     <title>TiTiler - Cloud Optimized GeoTIFF Viewer</title>
     <meta name='viewport' content='initial-scale=1,maximum-scale=1,user-scalable=no' />
-
-    <script src='https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.js'></script>
-    <link href='https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.css' rel='stylesheet' />
-
-    <link href='https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.min.css' rel='stylesheet'>
-    <script src='https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.js'></script>
-    <script src="https://d3js.org/d3.v4.js"></script>
+    <script src="https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.js"
+            integrity="sha384-d7ZDjW8dICoRWC3wnExUiOx1CgEcPFEPJmTdIo93yyxQLAUbUwa6yKg3tlACCOMf"
+            crossorigin="anonymous"></script>
+    <link rel="stylesheet" href="https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.css"
+          integrity="sha384-g0Ap4cGP18FAKniFM6i06oyjTpBYleD9hZcGyVnlsc1JFbfedDo1Oqb9qxrxVB3a" crossorigin="anonymous"/>
+
+    <link rel="stylesheet" href="https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.min.css"
+          integrity="sha384-J8dqIWgJSfbM291RNLiN7cjnxOqlHjAWfkLu/3HiuC1pJLq9ZCYiigcknWfCYi+h" crossorigin="anonymous"/>
+    <script src="https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.js"
+            integrity="sha384-cARSC/qj9L62maU7YhlT+Ca2yHyUEEnWvMVCilUdW02txMg0Iynxz3gMsvVpV9RG"
+            crossorigin="anonymous"></script>
+    <script src="https://d3js.org/d3.v4.js"
+            integrity="sha384-2D+rRoPOU+IYMo2i8sD/TSf9L+6H+Dt8lxmKl1r7xyEcV83QdtJyeaoE1DHIG3F7"
+            crossorigin="anonymous"></script>
     <style>
       body { margin:0; padding:0; width:100%; height:100%;}
       #map { position:absolute; top:0; bottom:0; width:100%; }
diff --git a/src/titiler/extensions/titiler/extensions/templates/stac_viewer.html b/src/titiler/extensions/titiler/extensions/templates/stac_viewer.html
@@ -4,13 +4,20 @@
     <meta charset='utf-8' />
     <title>TiTiler - STAC Viewer</title>
     <meta name='viewport' content='initial-scale=1,maximum-scale=1,user-scalable=no' />
-
-    <script src='https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.js'></script>
-    <link href='https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.css' rel='stylesheet' />
-
-    <link href='https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.min.css' rel='stylesheet'>
-    <script src='https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.js'></script>
-    <script src="https://d3js.org/d3.v4.js"></script>
+    <script src="https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.js"
+            integrity="sha384-d7ZDjW8dICoRWC3wnExUiOx1CgEcPFEPJmTdIo93yyxQLAUbUwa6yKg3tlACCOMf"
+            crossorigin="anonymous"></script>
+    <link rel="stylesheet" href="https://unpkg.com/maplibre-gl@2.4.0/dist/maplibre-gl.css"
+          integrity="sha384-g0Ap4cGP18FAKniFM6i06oyjTpBYleD9hZcGyVnlsc1JFbfedDo1Oqb9qxrxVB3a" crossorigin="anonymous"/>
+
+    <link rel="stylesheet" href="https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.min.css"
+          integrity="sha384-J8dqIWgJSfbM291RNLiN7cjnxOqlHjAWfkLu/3HiuC1pJLq9ZCYiigcknWfCYi+h" crossorigin="anonymous"/>
+    <script src="https://api.mapbox.com/mapbox-assembly/v0.23.2/assembly.js"
+            integrity="sha384-cARSC/qj9L62maU7YhlT+Ca2yHyUEEnWvMVCilUdW02txMg0Iynxz3gMsvVpV9RG"
+            crossorigin="anonymous"></script>
+    <script src="https://d3js.org/d3.v4.js"
+            integrity="sha384-2D+rRoPOU+IYMo2i8sD/TSf9L+6H+Dt8lxmKl1r7xyEcV83QdtJyeaoE1DHIG3F7"
+            crossorigin="anonymous"></script>
     <style>
       body { margin:0; padding:0; width:100%; height:100%;}
       #map { position:absolute; top:0; bottom:0; width:100%; }
