From e058802777060aceddee920322cbd8f2719f8c8f Mon Sep 17 00:00:00 2001
From: Marcus Jaschen <mjaschen@gmail.com>
Date: Fri, 1 Jul 2022 11:05:14 +0200
Subject: [PATCH] uses existing function for escaping Overpass data; escape
 keys too (#575)

---
 js/LayersConfig.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/js/LayersConfig.js b/js/LayersConfig.js
index 142bfe5..801fa26 100644
--- a/js/LayersConfig.js
+++ b/js/LayersConfig.js
@@ -255,12 +255,14 @@ BR.LayersConfig = L.Class.extend({
         output += '</thead>';
 
         output += '<tbody>';
-        for (const key in overpassData.tags) {
+        for (let key in overpassData.tags) {
             if (key.substring(0, 5) === 'addr:') {
                 continue;
             }
-            // `new Option().innerHTML` escapes HTML entities for XSS protection
-            let value = new Option(overpassData.tags[key]).innerHTML;
+
+            let value = BR.Util.sanitizeHTMLContent(overpassData.tags[key]);
+            key = BR.Util.sanitizeHTMLContent(key);
+
             if (key.match(/email/)) {
                 value = '<a href="mailto:' + value + '">' + value + '</a>';
             }