Added html escaping package sanitize-html to prevent injection via the map attribution field

This commit is contained in:
Dean 2022-03-11 11:06:05 +00:00
parent 50fb9e30a0
commit 60dd9b704e
1 changed files with 9 additions and 1 deletions

View File

@ -1,5 +1,6 @@
<script> <script>
import L from "leaflet" import L from "leaflet"
import sanitizeHtml from 'sanitize-html'
import "leaflet/dist/leaflet.css" import "leaflet/dist/leaflet.css"
import { Helpers } from "@budibase/bbui" import { Helpers } from "@budibase/bbui"
import { getContext } from "svelte" import { getContext } from "svelte"
@ -236,8 +237,15 @@
mapInstance = L.map(embeddedMapId, mapOptions) mapInstance = L.map(embeddedMapId, mapOptions)
mapMarkerGroup.addTo(mapInstance) mapMarkerGroup.addTo(mapInstance)
const cleanAttribution = sanitizeHtml(mapAttribution, {
allowedTags: [ 'a' ],
allowedAttributes: {
'a': [ 'href' ]
}
});
L.tileLayer(tileURL, { L.tileLayer(tileURL, {
attribution: "&copy; " + mapAttribution || "", attribution: "&copy; " + cleanAttribution,
zoom: adjustedZoomLevel, zoom: adjustedZoomLevel,
}).addTo(mapInstance) }).addTo(mapInstance)