Skip to main content

HTML Tags are displayed in Map tips

Comments

20 comments

  • Permanently deleted user

    Hi Nick,

    HTML tags are escaped by default for security reasons. If HTML is rendered from a field that is accessible by end-users, you run the risk of users injecting malicious script code that will be run on other client machines when the Map Tip content is rendered by the browser.

    To enable HTML map tips, you can enable the "allowUnsafeContent" setting in configuration. This will cause Map Tips to properly display HTML content. If your Map Tip content contains no fields that are potentially editable by untrusted users, then this is safe to do.

    In the future, we may add this option to the Management Pack to make it more accessible. We will also look into solutions for preventing script injection across the board using a robust filtering mechanism, allowing us to enable HTML content by default.

     

    Cheers,

    Jason

    0
  • Permanently deleted user

    Thanks that is good to know for the time being I am just using the site for demo purposes but this will definitely be something we will need to consider before putting these sites on our external environment. 

    0
  • Dan Griffin

    Hi Jason,

    Can you please describe how to do this in more detail?  "To enable HTML map tips, you can enable the "allowUnsafeContent" setting in configuration."  I can't find a reference to allowUnsafeContent?

    Thx!

     

    0
  • Permanently deleted user

    The setting can be found in viewer configuration. Viewer configuration is located in the virtual directory of your viewer, inside of the "Resources/Config/Default" sub-folder. There are three config files in that folder: one for desktops, one for tablets, and one for handheld devices. Each config file should have the "allowUnsafeContent" setting under the MapTips module section. This setting was introduced in 1.0 and is not present in the Beta.

    0
  • Permanently deleted user

    Is this setting available in the 1.1 html5 viewer ?

    0
  • Permanently deleted user

    Is this supposed to be working for the 1.3.1 html5 viewer? I have checked the box called "Allow Unsafe Content" and it is still not displaying html formatted maptips. Instead I see the tags <strong>blah blah blah>/strong> and similar.

    What am I doing wrong?

     

    0
  • Permanently deleted user

    Can you post an example of the markup you are seeing? If the markup is invalid and can't be parsed, you will see the tags.

    The "allowUnsafeContent" option has been deprecated. In a nutshell, we've improved the way we handle potentially unsafe content and we leverage the abilities of browsers to escape this content into harmless text. We now handle and display formerly unsafe content just fine.

    Also, we've had a report of HTML tags showing up in Firefox, but it's unclear at this point whether the HTML was well-formed or not.

    0
  • Permanently deleted user

    Sure,

    It's a variety of html tags. Just as a test I created a very simple example, which is the image below. The value in the field is exactly what is displayed in the maptip. Thanks.

    /customer/servlet/servlet.FileDownload?file=00P6000000elzY4EAI

    0
  • Permanently deleted user

    Sorry, I was referring to the actual markup you defined as your feature description. It looks like you have created an HTML table and I would like to look at its structure, as perhaps there is an issue with the way we are parsing or loading markup.

    0
  • Permanently deleted user

    Ok. Yes I'd like to use a table to format the content. That looks like:

    <table style="color: rgb(102, 51, 255);" border="0" cellSpacing="20" cellPadding="5">

     

    <tbody><tr>

     

    <td style="color: rgb(102, 102, 102);"><strong>Project Name:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{ProjectName}</td>

     

    </tr>

     

    <tr height="2"></tr>

     

    <tr>

     

    <td style="color: rgb(102, 102, 102);"><strong>Project Phase:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{ProjectPhase}</td>

     

    </tr>

     

    <tr height="2"></tr>

     

    <tr>

     

    <td style="color: rgb(102, 102, 102);"><strong>Description:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{ProjectDescription}</td>

     

    </tr>

     

    <tr height="2"></tr>

     

    <tr><td style="color: rgb(102, 102, 102);"><strong>Department:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{Department}</td>

     

    </tr>

     

    <tr height="2"></tr>

     

    <tr><td style="color: rgb(102, 102, 102);"><strong>Cost Estimate:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{ProjectCostEstimate}</td>

     

    </tr>

     

    <tr height="2"></tr>

     

    <tr><td style="color: rgb(102, 102, 102);"><strong>Project Manager:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{ProjectManager} \ 425-452-{PMPhoneNumber} \ {PMEMail}</td>

     

    </tr>

     

    <tr height="2"></tr>

     

    <tr><td style="color: rgb(102, 102, 102);"><strong>Start Date:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{ProjectStartGeneral}</td>

     

    </tr>

     

    <tr height="2"></tr>

     

    <tr><td style="color: rgb(102, 102, 102);"><strong>End Date:</strong></td>

     

    <td>&nbsp;&nbsp;</td>

     

    <td>{ProjectEndGeneral}</td>

     

    </tr>

     

    </tbody></table>

     

    <br/>

     

    <p><a href="http://vcobigists03/Geocortex/Essentials/RestManager/Layers/%7BProjectLink%7D"><font color="#3333ff" size="3">More Info</font></a></p><p><font color="#6633ff"></font>&nbsp;</p><p><font color="#6633ff"></font>&nbsp;</p>

    But I have also tested it without any fancy markup (see below) and it still displays the tags....

    Desription: {ProjectDescription}

    /customer/servlet/servlet.FileDownload?file=00P6000000elu9BEAQ

    0
  • Permanently deleted user

    Yep, the html is embedded in the attributes of the layer. I thought the "allowUnsafeContent" checkbox setting in configuration (rest manager) was able to override that restriction. I just read up on it more in the admin guide and I see that it only pertains to GeoRSS feeds:

    allowUnsafeContent: When this property is set to true, content from a GeoRSS feed that contains HTML markup is interpreted by the viewer. If you want the viewer to display the actual markup rather than what it represents, set allowUnsafeContent to false. The default value is false. If you have not added any GeoRSS layers to your site, this property has no effect.

    I understand why the software does this sanitization. In my case, I have a small group of trusted users who have access to edit the data, so there is little to no risk of a malicious injection. But if I'm understanding correctly, there is no way to override this behaviour?

    Thanks for your help with this, by the way.

    0
  • Permanently deleted user

    You're very welcome!

    There is currently no way to override this behaviour, although perhaps it is something we could consider.

    If you're interested in having your users author rich content than you may wish to create your own type of Map Tips. This would involve creating a custom module that displays map tips for certain layers. The pop up map tip bubble is actually quite extensible and with a little bit of custom coding, you can host your own content in there - including custom unescaped HTML, images, videos, etc. Let me know if this is an option for you, and I can point you in the right direction.

    0
  • Permanently deleted user

    I am interested in the custom popup concept. thanks.

    0
  • Permanently deleted user

    The first thing you will want to do is get a custom library set up for development. The QuickStart that ships with the viewer demonstrates such a setup. I would grab the 1.3.1 QuickStart and get it up and running. If you're using visual studio, it's best to create your solution and projects and then copy QuickStart folders into it. I typically create a project called "Custom" and a project called "Web" and then copy the QuickStart goods into these folders. I also set up a post-build step to run the batch file that is included in the QuickStart. This builds the custom library and copies it in to the Web folder.

    Creating a custom map tip provider involves creating a custom command, which is covered in the SDK Samples that ship with the viewer. Once your custom command is created, you can map results to it via the Results module. If you look in configuration, there is a "resultMappings" object that dictates the relationship between sources of features, and the commands used to present them. By default, you'll see that features from the "MapTip" source are mapped to the command "ShowMapTipResults". Replacing this command name with your own will allow you to display the resulting features however you choose.

    There are a few details around working with feature sets that are probably best explained in code. I will post some sample code once I get a chance. Hope this helps!

    0
  • Permanently deleted user

    Thanks for the info. I'll try this when I have a chance.

    0
  • Permanently deleted user

    Hi Zorba,

    I've created a sample application that demonstrates custom map tip content and behaviour. You can download it here: (https://support.geocortex.com/Data/Sites/1/userfiles/1749/custommaptips.zip) /Data/Sites/1/userfiles/1749/custommaptips.zip

     This little sample application is based on the 1.3.1 QuickStart that ships with the viewer. I've adapted the template module sample and added a custom map tip view.

    As mentioned before, the key to this is using "resultMappings" to point to a custom command. The custom command has a bunch of code to grab the first feature from the MapTip query operation and bind it into a view that renders custom HTML content.

    Hope this helps!

     

    Cheers,

    Jason

    0
  • Permanently deleted user

    hi Jason,

     

    i have tried your sample code in v2.3.3 with the quick start code. it seems like new geocortex.essentialsHtmlViewer.mapping.infrastructure.ShowMapElementArgs(calloutId, mapPoint, this._customMapTipView.root) is no longer supported. i am trying to do my own map tip and I am stuck at the point where I want to call ShowMapElementArgs. it says the property of 'ShowMapElementArgs' does not exist on value of type 'typeof geocortex.essentialsHtmlViewer.mapping.infrastructure'. is there other alternative way to do the same thing? please help. Thanks,

     

     

         // Pass the view's root (its main DOM element) as the content of the map element we wish to display.

     

       

     

            var args = new geocortex.essentialsHtmlViewer.mapping.infrastructure.ShowMapElementArgs(calloutId, mapPoint, this._customMapTipView.root);

     

     
    0
  • Permanently deleted user

    Hi Arno,

    The correct type for the command argument is geocortex.essentialsHtmlViewer.mapping.infrastructure.commandArgs .ShowMapElementArgs

    Hope this helps,

    --Alejandro

    0
  • Permanently deleted user
    Hi Jason,

     

    Looks like link to the Maptip sample zip is borken. Please provide the download link for the sample code.

     

    Thanks,

     

    S
    0
  • Permanently deleted user
    Hello Sravan,

     

    The download is available here: http://data.latitudegeo.com/support/GSC/custommaptips.zip

     

    Thanks,

     

    Pandora
    0

Please sign in to leave a comment.