Add comprehensive XSS vulnerability analysis for TypeScript files

[Copilot]

Overview

This PR adds a complete security analysis identifying XSS (Cross-Site Scripting) vulnerabilities in TypeScript files across the repository. The analysis found 15 files using innerHTML, with 7 files (46.7%) containing critical vulnerabilities where unsanitized dynamic data is inserted into the DOM.

What's Included

Three comprehensive documentation files have been added to help the team understand and remediate these security issues:

📄 XSS_VULNERABILITY_ANALYSIS.md

A detailed technical report (13KB) containing:

• Executive summary of all findings
• Line-by-line analysis of each vulnerable file with code examples
• Specific attack vectors demonstrating how each vulnerability could be exploited
• Risk assessments (Critical, Medium, Safe)
• Refactoring recommendations with safe alternative patterns
• Testing guidelines and best practices

📄 XSS_FINDINGS_SUMMARY.md

A quick reference guide (4.2KB) for developers:

• Categorized list of all vulnerable files
• Before/After code comparisons showing unsafe vs. safe patterns
• Priority order for fixes (Highest → High → Medium → Low)
• Quick fix guide with working examples

📊 XSS_FINDINGS.csv

A tracking spreadsheet (3KB) for project management:

• Columns: File, Line(s), Risk Level, Vulnerability Type, Vulnerable Data, Fix Priority, Notes
• Can be imported into issue trackers or spreadsheet tools

Key Findings

🔴 Critical Vulnerabilities (7 files)

These files use innerHTML with dynamic data that could contain malicious content:

Highest Priority (User-Controlled Data):

• samples/deckgl-kml/index.ts (Line 132) - KML files can be user-uploaded; description field commonly contains HTML
• samples/deckgl-kml-updated/index.ts (Line 156) - Same KML vulnerability

High Priority (External Data Sources):

• samples/deckgl-heatmap/index.ts (Line 100) - External CSV/JSON data displayed in tooltips
• samples/deckgl-polygon/index.ts (Line 110) - Similar external data vulnerability

Medium Priority (API Data):

• samples/advanced-markers-html/index.ts (Line 48) - Property data (type, price, address) inserted without escaping
• samples/3d-places/index.ts (Lines 29, 30, 34) - Places API data concatenated into HTML using += in a loop
• samples/advanced-markers-graphics/index.ts (Line 93) - Font Awesome icon (currently hardcoded but establishes unsafe pattern)

Example Vulnerability

In samples/advanced-markers-html/index.ts:

// ❌ UNSAFE - XSS vulnerability
content.innerHTML = `
  <div class="price">${property.price}</div>
  <div class="address">${property.address}</div>
`;

If property.address contains <img src=x onerror="alert('XSS')">, malicious JavaScript will execute.

Recommended Safe Pattern

// ✅ SAFE - No XSS risk
const priceDiv = document.createElement('div');
priceDiv.className = 'price';
priceDiv.textContent = property.price;

const addressDiv = document.createElement('div');
addressDiv.className = 'address';
addressDiv.textContent = property.address;

content.appendChild(priceDiv);
content.appendChild(addressDiv);

Why This Matters

While these are sample/demo files, they serve as learning resources that developers copy into production applications. Vulnerable patterns in samples can propagate to real-world code, creating security risks. The highest-priority vulnerabilities involve user-uploaded KML files, which are a well-known XSS vector in mapping applications.

Category Analysis

Sample Category	Critical	Medium	Safe	Total
Deck.gl Samples	4	0	0	4 (100% vulnerable)
React UI Kit Samples	0	4	4	8 (50% medium risk)
Marker Samples	2	1	0	3 (67% vulnerable)

Next Steps

The documentation provides everything needed to remediate these issues:

1. Review XSS_VULNERABILITY_ANALYSIS.md for detailed findings
2. Prioritize fixes based on data source: KML files → External data → API data → Static content
3. Use XSS_FINDINGS.csv to track remediation progress
4. Consider adding ESLint rules to prevent future innerHTML usage with dynamic data
5. Add developer guidelines about safe DOM manipulation patterns

No Code Changes

This PR intentionally contains no code changes - only documentation. This allows the team to:

• Review findings without risk
• Plan remediation strategy
• Decide which samples to fix and in what order
• Use as a security audit artifact

---

All files have been committed to the repository root for easy access.

Original prompt

Please find me any .ts files that contain XSS unsafe DOM (concatenating HTML instead of using textContent, etc)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.