ben/brouter-web
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Sanitize track name (#312)

Browse source 
to prevent code in GPX getting executed like this:
<name>&lt;img src="xyz" onerror="alert('script executed')"></name>
This commit is contained in:
Norbert Renner 2020-07-14 09:27:57 +02:00
parent dd4eb6c406
commit 9500481df0
3 changed files with 11 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
js/plugin/RouteLoaderConverter.js
View file

@ -284,7 +284,7 @@ BR.routeLoader = function(map, layersControl, routing, pois) {
addTrackOverlay: function(geoJSON) {
this._trackLayer = L.geoJSON(geoJSON, BR.Track.getGeoJsonOptions(layersControl)).addTo(map);
layersControl.addOverlay(this._trackLayer, this._layerName);
layersControl.addOverlay(this._trackLayer, BR.Util.sanitizeHTMLContent(this._layerName));
this._bounds = this._trackLayer.getBounds();