Protection from Malicious Code

The HTML5 Viewer has a built-in security feature that helps to prevent malicious attacks, in particular cross-site scripting (XSS) attacks. The feature works like this: Before the content loads on the user's device, viewers remove untrustworthy URLs and HTML markup that could execute code when resolved.

In addition, the viewer prompts the user to allow or deny the content at unknown URLs. This protects users from unknowingly loading content that could be malicious. Once a user has allowed or denied content from a particular URL, the viewer remembers the user's choice in the web browser's local storage and does not prompt again for that URL. The user's preferences remain in effect until the user clears their web browser's local storage.

URLs and HTML markup can occur in different contexts. Some common contexts are:

Removal of High-Risk Content

HTML5 viewers remove high-risk URLs and HTML markup. The viewer does not notify end users that content is being removed. Viewers remove the following:

Most HTML elements are allowed, including a, img, iframe, video, and audio elements. Anchor (<a>) tags can contain HTML5 viewer commands, even though commands run code. The code that is run by viewer commands is considered to be trusted.

URL Filtering

To help prevent loading malicious code via URLs, HTML5 viewers filter URLs before resolving them. HTML5 viewers filter URLs as follows:

URLs that are Explicitly Specified in the Site

HTML5 viewers always allow content from URLs that are configured explicitly in the site. This includes the URLs to map services, geocoding and geometry services, feature hyperlinks, layer hyperlinks, and icon URLs. As well, viewers allow any URLs (or parts of URLs) that are explicitly configured in a layer's Feature Label, Feature Description, or Feature Long Description. This is the viewer's way of respecting the administrator's configuration.

The key here is that the configuration must be explicit. Replacement tokens are not considered to be explicit. Viewers allow content up to the last slash before the first replacement token, or if there is no replacement token, up to the last slash. For example:

Content Policy Configuration

You can enable or disable the prompt users receive when asked to allow or deny content from a URL. To configure the security prompt, locate the application object near the top of your viewer configuration files and embed a new object called contentPolicy in it. The contentPolicy object has these configurable properties:

The configured contentPolicy object looks like this:

"application": {
"contentPolicy": {
"disableSecurityPrompt": false,
"disablePromptOnImages": true,
"trustExactUrl": false

"Allow Unsafe Content" Setting

A viewer's Application page in Geocortex Essentials Manager has a checkbox labelled Allow Unsafe Content. The viewer prevents cross-site scripting attacks and filters URLs and markup whether or not this setting is on.

If this checkbox is selected, content from a KML or GeoRSS layer that contains HTML markup within a <description> is interpreted by the viewer. If you want the viewer to display the preformatted markup, clear the checkbox. By default, unsafe content is not allowed.

© 2021 VertiGIS North America Ltd. All Rights Reserved.

Documentation Version 4.14