From 39468c98c0d66e501f455c709d66039db72f8d99 Mon Sep 17 00:00:00 2001
From: Dean <deanhannigan@gmail.com>
Date: Fri, 11 Mar 2022 11:06:05 +0000
Subject: [PATCH] Added html escaping package sanitize-html to prevent
 injection via the map attribution field

---
 .../src/components/app/embedded-map/EmbeddedMap.svelte | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/packages/client/src/components/app/embedded-map/EmbeddedMap.svelte b/packages/client/src/components/app/embedded-map/EmbeddedMap.svelte
index 692735e9a9..b9fb89f8cb 100644
--- a/packages/client/src/components/app/embedded-map/EmbeddedMap.svelte
+++ b/packages/client/src/components/app/embedded-map/EmbeddedMap.svelte
@@ -1,5 +1,6 @@
 <script>
   import L from "leaflet"
+  import sanitizeHtml from 'sanitize-html'
   import "leaflet/dist/leaflet.css"
   import { Helpers } from "@budibase/bbui"
   import { getContext } from "svelte"
@@ -236,8 +237,15 @@
     mapInstance = L.map(embeddedMapId, mapOptions)
     mapMarkerGroup.addTo(mapInstance)
 
+    const cleanAttribution = sanitizeHtml(mapAttribution, {
+      allowedTags: [ 'a' ],
+      allowedAttributes: {
+        'a': [ 'href' ]
+      }
+    });
+
     L.tileLayer(tileURL, {
-      attribution: "&copy; " + mapAttribution || "",
+      attribution: "&copy; " + cleanAttribution,
       zoom: adjustedZoomLevel,
     }).addTo(mapInstance)