Added html escaping package sanitize-html to prevent injection via the map attribution field

2024-08-15 01:51:33 +12:00 · 2022-03-11 11:06:05 +00:00 · 2022-03-11 11:06:05 +00:00 · 39468c98c0
commit 39468c98c0
parent a5efd34184
1 changed files with 9 additions and 1 deletions
--- a/packages/client/src/components/app/embedded-map/EmbeddedMap.svelte
+++ b/packages/client/src/components/app/embedded-map/EmbeddedMap.svelte
@ -1,5 +1,6 @@
 <script>
  import L from "leaflet"
+  import sanitizeHtml from 'sanitize-html'
  import "leaflet/dist/leaflet.css"
  import { Helpers } from "@budibase/bbui"
  import { getContext } from "svelte"
@ -236,8 +237,15 @@
    mapInstance = L.map(embeddedMapId, mapOptions)
    mapMarkerGroup.addTo(mapInstance)

+    const cleanAttribution = sanitizeHtml(mapAttribution, {
+      allowedTags: [ 'a' ],
+      allowedAttributes: {
+        'a': [ 'href' ]
+      }
+    });
+
    L.tileLayer(tileURL, {
-      attribution: "&copy; " + mapAttribution || "",
+      attribution: "&copy; " + cleanAttribution,
      zoom: adjustedZoomLevel,
    }).addTo(mapInstance)