add some more XSS mitigations

2020-04-30 11:31:51 +02:00 · 2020-04-30 11:31:51 +02:00 · 211424930c
commit 211424930c
parent 32d131318b
2 changed files with 4 additions and 2 deletions
--- a/static/js/map/overlays/BorderOverlay.js
+++ b/static/js/map/overlays/BorderOverlay.js
@ -1,4 +1,5 @@
 import AbstractGeoJsonOverlay from './AbstractGeoJsonOverlay.js';
+import { HtmlSanitizer } from '../../lib/HtmlSanitizer.js';

 export default AbstractGeoJsonOverlay.extend({
  initialize: function() {
@ -80,7 +81,7 @@ export default AbstractGeoJsonOverlay.extend({
        "properties":{
            "name": bordername,
            "color": borderColors[bordername],
-            "popupContent": "<b>Border (" + bordername + ")</b>"
+            "popupContent": "<b>Border (" + HtmlSanitizer.SanitizeHtml(bordername) + ")</b>"
        }
      };

--- a/static/js/map/overlays/LabelOverlay.js
+++ b/static/js/map/overlays/LabelOverlay.js
@ -1,4 +1,5 @@
 import AbstractIconOverlay from './AbstractIconOverlay.js';
+import { HtmlSanitizer } from '../../lib/HtmlSanitizer.js';

 export default AbstractIconOverlay.extend({
  initialize: function() {
@ -27,7 +28,7 @@ export default AbstractIconOverlay.extend({
          fill='${lbl.attributes.color}'
          dominant-baseline="central"
          transform="rotate(${lbl.attributes.direction}, 100, 100)">
-          ${lbl.attributes.text}
+          ${HtmlSanitizer.SanitizeHtml(lbl.attributes.text)}
        </text>
      </svg>
    `;