Added html escaping package sanitize-html to prevent injection via the map attribution field

This commit is contained in:
Dean 2022-03-11 11:06:05 +00:00
parent a5efd34184
commit 39468c98c0
1 changed files with 9 additions and 1 deletions

View File

@ -1,5 +1,6 @@
<script>
import L from "leaflet"
import sanitizeHtml from 'sanitize-html'
import "leaflet/dist/leaflet.css"
import { Helpers } from "@budibase/bbui"
import { getContext } from "svelte"
@ -236,8 +237,15 @@
mapInstance = L.map(embeddedMapId, mapOptions)
mapMarkerGroup.addTo(mapInstance)
const cleanAttribution = sanitizeHtml(mapAttribution, {
allowedTags: [ 'a' ],
allowedAttributes: {
'a': [ 'href' ]
}
});
L.tileLayer(tileURL, {
attribution: "&copy; " + mapAttribution || "",
attribution: "&copy; " + cleanAttribution,
zoom: adjustedZoomLevel,
}).addTo(mapInstance)