Summary
There is a DOM XSS in InfoBox description rendering.
groundStations is deserialized from the gs query parameter, and the optional name field is
inserted into HTML templates without escaping.
That HTML is then rendered by Cesium InfoBox using innerHTML inside the InfoBox iframe.
In this project, the InfoBox iframe sandbox is explicitly relaxed to include allow-scripts, which
makes script execution from injected HTML practical.
Affected Code
- `src/stores/sat.js`
- `groundStations` URL sync deserializer reads untrusted `gs` name (`g[2]`) directly.
- `src/modules/CesiumController.js`
- `setGroundStations(...)` forwards untrusted `gs.name` into ground station entities.
- `styleInfoBox()` sets iframe sandbox to `allow-same-origin allow-popups allow-forms allow-scripts`.
- `src/modules/util/DescriptionHelper.js`
- `renderGroundstationDescription()` inserts `${name}` into HTML without escaping.
- `renderSatelliteDescription()` and `renderPass()` also interpolate unescaped text into HTML.
- `renderPass()` uses inline `onclick` with interpolated JSON.
Realistic Trigger Conditions
- Victim opens a crafted URL containing malicious
gs.
- Victim clicks the ground-station marker so the InfoBox is rendered.
- Then injected HTML/JS executes in the app origin context.
Note: lat=0 or lon=0 is filtered in current code (if (!gs.lat || !gs.lon) return;), so PoCs
should use non-zero coordinates.
Reproduction
- Start the app (e.g. local dev server).
- Open a crafted URL, e.g.:
/?gs=48.1371,11.5754,%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E
- Click the injected ground station marker on the globe.
- Observe JavaScript execution from the injected payload.
Expected vs Actual
- Expected: Untrusted values from URL and TLE-derived display fields are encoded/sanitized before
insertion, and InfoBox rendering does not allow script execution from attacker-controlled input.
- Actual: Untrusted values are interpolated into HTML directly and rendered via
innerHTML in an
iframe that allows scripts.
Impact
- Arbitrary JavaScript execution in the satvis origin context (client-side).
- Frontend state manipulation (e.g. via exposed
window.cc APIs, time/view changes).
- Access to same-origin readable browser data (e.g. localStorage, non-HttpOnly cookies).
- Potential chaining with other client-side issues.
Suggested Remediation
- HTML-escape all untrusted interpolations in
DescriptionHelper (name, pass name, etc.).
- Remove inline event handlers (
onclick=...), and bind events programmatically.
- Validate/sanitize
gs input (especially name) at deserialization.
- Keep InfoBox sandbox restrictive; remove
allow-scripts if possible.
- Add regression tests for payloads like
<img onerror=...> and quote-breaking attribute payloads.
Summary
There is a DOM XSS in InfoBox description rendering.
groundStationsis deserialized from thegsquery parameter, and the optionalnamefield isinserted into HTML templates without escaping.
That HTML is then rendered by Cesium InfoBox using
innerHTMLinside the InfoBox iframe.In this project, the InfoBox iframe sandbox is explicitly relaxed to include
allow-scripts, whichmakes script execution from injected HTML practical.
Affected Code
Realistic Trigger Conditions
gs.Note:
lat=0orlon=0is filtered in current code (if (!gs.lat || !gs.lon) return;), so PoCsshould use non-zero coordinates.
Reproduction
/?gs=48.1371,11.5754,%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3EExpected vs Actual
insertion, and InfoBox rendering does not allow script execution from attacker-controlled input.
innerHTMLin aniframe that allows scripts.
Impact
window.ccAPIs, time/view changes).Suggested Remediation
DescriptionHelper(name, pass name, etc.).onclick=...), and bind events programmatically.gsinput (especiallyname) at deserialization.allow-scriptsif possible.<img onerror=...>and quote-breaking attribute payloads.