HTML Tags are displayed in Map tips
Not sure if this is a known issue or something I did wrong but the map tips in the HTML 5 viewer display the html tags from the site file as encoded strings. I found a workaround but I would need to remove the tags from all of my feature descriptions and this is not really feasible since I use the same site with a silverlight viewer which handles the html tags. Also it does not seem to support the html tags at this time is this correct.
-
Hi Nick,
HTML tags are escaped by default for security reasons. If HTML is rendered from a field that is accessible by end-users, you run the risk of users injecting malicious script code that will be run on other client machines when the Map Tip content is rendered by the browser.
To enable HTML map tips, you can enable the "allowUnsafeContent" setting in configuration. This will cause Map Tips to properly display HTML content. If your Map Tip content contains no fields that are potentially editable by untrusted users, then this is safe to do.
In the future, we may add this option to the Management Pack to make it more accessible. We will also look into solutions for preventing script injection across the board using a robust filtering mechanism, allowing us to enable HTML content by default.
Cheers,
Jason
0 -
Thanks that is good to know for the time being I am just using the site for demo purposes but this will definitely be something we will need to consider before putting these sites on our external environment.
0 -
Hi Jason,
Can you please describe how to do this in more detail? "To enable HTML map tips, you can enable the "allowUnsafeContent" setting in configuration." I can't find a reference to allowUnsafeContent?
Thx!
0 -
The setting can be found in viewer configuration. Viewer configuration is located in the virtual directory of your viewer, inside of the "Resources/Config/Default" sub-folder. There are three config files in that folder: one for desktops, one for tablets, and one for handheld devices. Each config file should have the "allowUnsafeContent" setting under the MapTips module section. This setting was introduced in 1.0 and is not present in the Beta.
0 -
Is this setting available in the 1.1 html5 viewer ?
0 -
Is this supposed to be working for the 1.3.1 html5 viewer? I have checked the box called "Allow Unsafe Content" and it is still not displaying html formatted maptips. Instead I see the tags <strong>blah blah blah>/strong> and similar.
What am I doing wrong?
0 -
Can you post an example of the markup you are seeing? If the markup is invalid and can't be parsed, you will see the tags.
The "allowUnsafeContent" option has been deprecated. In a nutshell, we've improved the way we handle potentially unsafe content and we leverage the abilities of browsers to escape this content into harmless text. We now handle and display formerly unsafe content just fine.
Also, we've had a report of HTML tags showing up in Firefox, but it's unclear at this point whether the HTML was well-formed or not.
0 -
Sure,
It's a variety of html tags. Just as a test I created a very simple example, which is the image below. The value in the field is exactly what is displayed in the maptip. Thanks.
/customer/servlet/servlet.FileDownload?file=00P6000000elzY4EAI
0 -
Sorry, I was referring to the actual markup you defined as your feature description. It looks like you have created an HTML table and I would like to look at its structure, as perhaps there is an issue with the way we are parsing or loading markup.
0 -
Ok. Yes I'd like to use a table to format the content. That looks like:
<table style="color: rgb(102, 51, 255);" border="0" cellSpacing="20" cellPadding="5">
But I have also tested it without any fancy markup (see below) and it still displays the tags....
Desription: {ProjectDescription}
/customer/servlet/servlet.FileDownload?file=00P6000000elu9BEAQ
0 -
Yep, the html is embedded in the attributes of the layer. I thought the "allowUnsafeContent" checkbox setting in configuration (rest manager) was able to override that restriction. I just read up on it more in the admin guide and I see that it only pertains to GeoRSS feeds:
allowUnsafeContent: When this property is set to true, content from a GeoRSS feed that contains HTML markup is interpreted by the viewer. If you want the viewer to display the actual markup rather than what it represents, set allowUnsafeContent to false. The default value is false. If you have not added any GeoRSS layers to your site, this property has no effect.
I understand why the software does this sanitization. In my case, I have a small group of trusted users who have access to edit the data, so there is little to no risk of a malicious injection. But if I'm understanding correctly, there is no way to override this behaviour?
Thanks for your help with this, by the way.
0 -
You're very welcome!
There is currently no way to override this behaviour, although perhaps it is something we could consider.
If you're interested in having your users author rich content than you may wish to create your own type of Map Tips. This would involve creating a custom module that displays map tips for certain layers. The pop up map tip bubble is actually quite extensible and with a little bit of custom coding, you can host your own content in there - including custom unescaped HTML, images, videos, etc. Let me know if this is an option for you, and I can point you in the right direction.
0 -
I am interested in the custom popup concept. thanks.
0 -
The first thing you will want to do is get a custom library set up for development. The QuickStart that ships with the viewer demonstrates such a setup. I would grab the 1.3.1 QuickStart and get it up and running. If you're using visual studio, it's best to create your solution and projects and then copy QuickStart folders into it. I typically create a project called "Custom" and a project called "Web" and then copy the QuickStart goods into these folders. I also set up a post-build step to run the batch file that is included in the QuickStart. This builds the custom library and copies it in to the Web folder.
Creating a custom map tip provider involves creating a custom command, which is covered in the SDK Samples that ship with the viewer. Once your custom command is created, you can map results to it via the Results module. If you look in configuration, there is a "resultMappings" object that dictates the relationship between sources of features, and the commands used to present them. By default, you'll see that features from the "MapTip" source are mapped to the command "ShowMapTipResults". Replacing this command name with your own will allow you to display the resulting features however you choose.
There are a few details around working with feature sets that are probably best explained in code. I will post some sample code once I get a chance. Hope this helps!
0 -
Thanks for the info. I'll try this when I have a chance.
0 -
Hi Zorba,
I've created a sample application that demonstrates custom map tip content and behaviour. You can download it here: (https://support.geocortex.com/Data/Sites/1/userfiles/1749/custommaptips.zip) /Data/Sites/1/userfiles/1749/custommaptips.zip
This little sample application is based on the 1.3.1 QuickStart that ships with the viewer. I've adapted the template module sample and added a custom map tip view.
As mentioned before, the key to this is using "resultMappings" to point to a custom command. The custom command has a bunch of code to grab the first feature from the MapTip query operation and bind it into a view that renders custom HTML content.
Hope this helps!
Cheers,
Jason
0 -
hi Jason,
i have tried your sample code in v2.3.3 with the quick start code. it seems like new geocortex.essentialsHtmlViewer.mapping.infrastructure.ShowMapElementArgs(calloutId, mapPoint, this._customMapTipView.root) is no longer supported. i am trying to do my own map tip and I am stuck at the point where I want to call ShowMapElementArgs. it says the property of 'ShowMapElementArgs' does not exist on value of type 'typeof geocortex.essentialsHtmlViewer.mapping.infrastructure'. is there other alternative way to do the same thing? please help. Thanks,
0 -
Hi Arno,
The correct type for the command argument is geocortex.essentialsHtmlViewer.mapping.infrastructure.commandArgs .ShowMapElementArgs
Hope this helps,
--Alejandro
0 -
Hi Jason, 0 -
Hello Sravan, 0
Please sign in to leave a comment.
Comments
20 comments