ben/brouter-web
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

uses existing function for escaping Overpass data; escape keys too (#575)

Browse source
This commit is contained in:
Marcus Jaschen 2022-07-01 11:05:14 +02:00 committed by GitHub
parent f68d32b1f2
commit e058802777
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
js/LayersConfig.js
View file

@ -255,12 +255,14 @@ BR.LayersConfig = L.Class.extend({
output += '</thead>';
output += '<tbody>';
for (const key in overpassData.tags) {
for (let key in overpassData.tags) {
if (key.substring(0, 5) === 'addr:') {
continue;
}
// `new Option().innerHTML` escapes HTML entities for XSS protection
let value = new Option(overpassData.tags[key]).innerHTML;
let value = BR.Util.sanitizeHTMLContent(overpassData.tags[key]);
key = BR.Util.sanitizeHTMLContent(key);
if (key.match(/email/)) {
value = '<a href="mailto:' + value + '">' + value + '</a>';
}