Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support share links on local installs and switch the parameter building to URLSearchParams #150

Merged
merged 1 commit into from
Sep 26, 2021
Merged

Support share links on local installs and switch the parameter building to URLSearchParams #150

merged 1 commit into from
Sep 26, 2021

Conversation

lart2150
Copy link
Contributor

  • support local share links
  • use URLSearchParams for parameters so we don't need to worry about injection.

@wiedehopf
Copy link
Owner

What is this injection stuff you're talking about?

URLSearchParams is encoding a colon i use for some human readable times in the URL, the colons work fine i'd rather not encode them.

@lart2150
Copy link
Contributor Author

I don't know if it there is a real attack vector but if you somehow got a plane icao with the value "abc&a=b" it would inject a=b into the search param or if the value was "abc#" none of the extra parameters would work.

I could switch it to use encodeURIComponent instead of URLSearchParams.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent

@wiedehopf
Copy link
Owner

Yeah i don't see how any of this is really an attack vector.
Honestly building the string manually suits me very well as i REALLY like human readable URLs.

The ordering was also specifically selected for example for https://globe.adsbexchange.com/?replay
As well as for https://globe.adsbexchange.com/?icao=ad6df0&lat=40.502&lon=-74.366&zoom=8.0&showTrace=2021-09-26

At least for the somewhat advanced user it should be obvious what it does and how to manipulate it to do what you want.

Can you split out the shareURL stuff and just keep the old boring string building i'm doing?
Or figure out how to keep the colons and the order (in every browser) ... not sure if that's even possible or worth the effort.
If someone gives you a bad link ... someone gives you a bad link, much more dangerous things than creating a broken adsbexchange link.
Icaos don't have = in them, i can guarantee that from the javascript.

Sorry to be insistent about this, it's really a nice cleanup but if it doesn't keep the existing intent of the code i can't use it.

@lart2150
* support local share links
7a0ceb6 
* use URLSearchParams for paramters so we don't need to worry about injection.
@lart2150
Copy link
Contributor Author

I get it. I changed it to be much closer to how it originally was.

@wiedehopf wiedehopf merged commit 7a0ceb6 into wiedehopf:master Sep 26, 2021
@wiedehopf
Copy link
Owner

Also fixed /?replay for non 60 second intervals.
I'd highly recommend something like

                --heatmap 18 \                                                                                                          
                --json-trace-interval 20 \

It records nice data for /?replay

@lart2150 lart2150 deleted the local-share-links branch September 26, 2021 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lart2150 @wiedehopf