Added html escaping package sanitize-html to prevent injection via the map attribution field
This commit is contained in:
parent
a5efd34184
commit
39468c98c0
|
@ -1,5 +1,6 @@
|
|||
<script>
|
||||
import L from "leaflet"
|
||||
import sanitizeHtml from 'sanitize-html'
|
||||
import "leaflet/dist/leaflet.css"
|
||||
import { Helpers } from "@budibase/bbui"
|
||||
import { getContext } from "svelte"
|
||||
|
@ -236,8 +237,15 @@
|
|||
mapInstance = L.map(embeddedMapId, mapOptions)
|
||||
mapMarkerGroup.addTo(mapInstance)
|
||||
|
||||
const cleanAttribution = sanitizeHtml(mapAttribution, {
|
||||
allowedTags: [ 'a' ],
|
||||
allowedAttributes: {
|
||||
'a': [ 'href' ]
|
||||
}
|
||||
});
|
||||
|
||||
L.tileLayer(tileURL, {
|
||||
attribution: "© " + mapAttribution || "",
|
||||
attribution: "© " + cleanAttribution,
|
||||
zoom: adjustedZoomLevel,
|
||||
}).addTo(mapInstance)
|
||||
|
||||
|
|
Loading…
Reference in New Issue