MTSR/mapserver
4
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases 1 Wiki Activity

add some more XSS mitigations

Browse Source
This commit is contained in:
BuckarooBanzay 2020-04-30 11:31:51 +02:00
parent 32d131318b
commit 211424930c
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
static/js/map/overlays/BorderOverlay.js
View File

@ -1,4 +1,5 @@
import AbstractGeoJsonOverlay from './AbstractGeoJsonOverlay.js'; import AbstractGeoJsonOverlay from './AbstractGeoJsonOverlay.js';
import { HtmlSanitizer } from '../../lib/HtmlSanitizer.js';
export default AbstractGeoJsonOverlay.extend({ export default AbstractGeoJsonOverlay.extend({
initialize: function() { initialize: function() {
@ -80,7 +81,7 @@ export default AbstractGeoJsonOverlay.extend({
"properties":{ "properties":{
"name": bordername, "name": bordername,
"color": borderColors[bordername], "color": borderColors[bordername],
"popupContent": "<b>Border (" + bordername + ")</b>" "popupContent": "<b>Border (" + HtmlSanitizer.SanitizeHtml(bordername) + ")</b>"
} }
}; };

3
static/js/map/overlays/LabelOverlay.js
View File

@ -1,4 +1,5 @@
import AbstractIconOverlay from './AbstractIconOverlay.js'; import AbstractIconOverlay from './AbstractIconOverlay.js';
import { HtmlSanitizer } from '../../lib/HtmlSanitizer.js';
export default AbstractIconOverlay.extend({ export default AbstractIconOverlay.extend({
initialize: function() { initialize: function() {
@ -27,7 +28,7 @@ export default AbstractIconOverlay.extend({
fill='${lbl.attributes.color}' fill='${lbl.attributes.color}'
dominant-baseline="central" dominant-baseline="central"
transform="rotate(${lbl.attributes.direction}, 100, 100)"> transform="rotate(${lbl.attributes.direction}, 100, 100)">
${lbl.attributes.text} ${HtmlSanitizer.SanitizeHtml(lbl.attributes.text)}
</text> </text>
</svg> </svg>
`; `;