[GEOS-11371] Refactor inline JavaScript in the GetMap OpenLayers format #7560
+763
−626
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR moves the inline JavaScript in the WMS GetMap Openlayers output format into an external file. This PR is related to Content-Security-Policy work for GeoServer 2.26.0 and should NOT be backported.
All Java inputs that were previously written directly into the script tag are now written to hidden input fields that the external JavaScript file will read. The previous code had to mix HTML and JavaScript escaping depending on where inputs were being written to but the new code only needs to use HTML escaping.
The GetFeatureInfo output of the OpenLayers2 format was previously handled with an OpenLayers AJAX call and writing the response into the DOM but is now handled by an iframe like the OpenLayers3 output format. The reason for this is that the iframe uses its own CSP which allows the GetFeatureInfo HTML to use a more lenient CSP than the OpenLayers page. For example, the GetFeatureInfo CSP can enable inline scripts even if the OpenLayers page CSP disables inline scripts.
This PR is split into two commits for easier reviewing. The first commit is a straight cut and paste of the script tag into a separate file and the second commit has the actual refactoring. Viewing the details of the second commit with the "Hide whitespace" diff option enabled will make it easier to see what was changed in the JavaScript code.
This PR uses the new webresources path added to gs-main by #7554 which does not affect unit tests but is required if attempting to manually run GeoServer with these changes.
Checklist
main
branch (backports managed later; ignore for branch specific issues).For core and extension modules:
[GEOS-XYZWV] Title of the Jira ticket
.