Added html escaping package sanitize-html to prevent injection via the map attribution field
This commit is contained in:
parent
a5efd34184
commit
39468c98c0
|
@ -1,5 +1,6 @@
|
||||||
<script>
|
<script>
|
||||||
import L from "leaflet"
|
import L from "leaflet"
|
||||||
|
import sanitizeHtml from 'sanitize-html'
|
||||||
import "leaflet/dist/leaflet.css"
|
import "leaflet/dist/leaflet.css"
|
||||||
import { Helpers } from "@budibase/bbui"
|
import { Helpers } from "@budibase/bbui"
|
||||||
import { getContext } from "svelte"
|
import { getContext } from "svelte"
|
||||||
|
@ -236,8 +237,15 @@
|
||||||
mapInstance = L.map(embeddedMapId, mapOptions)
|
mapInstance = L.map(embeddedMapId, mapOptions)
|
||||||
mapMarkerGroup.addTo(mapInstance)
|
mapMarkerGroup.addTo(mapInstance)
|
||||||
|
|
||||||
|
const cleanAttribution = sanitizeHtml(mapAttribution, {
|
||||||
|
allowedTags: [ 'a' ],
|
||||||
|
allowedAttributes: {
|
||||||
|
'a': [ 'href' ]
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
L.tileLayer(tileURL, {
|
L.tileLayer(tileURL, {
|
||||||
attribution: "© " + mapAttribution || "",
|
attribution: "© " + cleanAttribution,
|
||||||
zoom: adjustedZoomLevel,
|
zoom: adjustedZoomLevel,
|
||||||
}).addTo(mapInstance)
|
}).addTo(mapInstance)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue