ben/brouter-web
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Sanitize track name (#312)

Browse source 
to prevent code in GPX getting executed like this:
<name>&lt;img src="xyz" onerror="alert('script executed')"></name>
This commit is contained in:
Norbert Renner 2020-07-14 09:27:57 +02:00
parent dd4eb6c406
commit 9500481df0
3 changed files with 11 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

9
js/Util.js
View file

@ -97,5 +97,14 @@ BR.Util = {
} }
return true; return true;
},
// this method must only be used to sanitize for textContent.
// do NOT use it to sanitize any attribute,
// see https://web.archive.org/web/20121208091505/http://benv.ca/2012/10/4/you-are-probably-misusing-DOM-text-methods/
sanitizeHTMLContent: function(str) {
var temp = document.createElement('div');
temp.textContent = str;
return temp.innerHTML;
} }
}; };

11
js/plugin/POIMarkers.js
View file

@ -87,21 +87,12 @@ BR.PoiMarkers = L.Control.extend({
}, },
addMarker: function(latlng, name) { addMarker: function(latlng, name) {
// this method must only be used to sanitize for textContent.
// do NOT use it to sanitize any attribute,
// see https://web.archive.org/web/20121208091505/http://benv.ca/2012/10/4/you-are-probably-misusing-DOM-text-methods/
var sanitizeHTMLContent = function(str) {
var temp = document.createElement('div');
temp.textContent = str;
return temp.innerHTML;
};
var icon = L.VectorMarkers.icon({ var icon = L.VectorMarkers.icon({
icon: 'star', icon: 'star',
markerColor: BR.conf.markerColors.poi markerColor: BR.conf.markerColors.poi
}); });
var content = sanitizeHTMLContent(name) + '<br>'; var content = BR.Util.sanitizeHTMLContent(name) + '<br>';
content += "<button id='remove-poi-marker' class='btn btn-secondary'><i class='fa fa-trash'></i></button>"; content += "<button id='remove-poi-marker' class='btn btn-secondary'><i class='fa fa-trash'></i></button>";
var self = this; var self = this;

2
js/plugin/RouteLoaderConverter.js
View file

@ -284,7 +284,7 @@ BR.routeLoader = function(map, layersControl, routing, pois) {
addTrackOverlay: function(geoJSON) { addTrackOverlay: function(geoJSON) {
this._trackLayer = L.geoJSON(geoJSON, BR.Track.getGeoJsonOptions(layersControl)).addTo(map); this._trackLayer = L.geoJSON(geoJSON, BR.Track.getGeoJsonOptions(layersControl)).addTo(map);
layersControl.addOverlay(this._trackLayer, this._layerName); layersControl.addOverlay(this._trackLayer, BR.Util.sanitizeHTMLContent(this._layerName));
this._bounds = this._trackLayer.getBounds(); this._bounds = this._trackLayer.getBounds();