Fix XSS in omaps urls
Signed-off-by: Alexander Borsuk <me@alex.bio>
This commit is contained in:
Alexander Borsuk
parent
728f133e6b
commit
2793a071fa
1 changed files with 23 additions and 1 deletions
24
src/ge0.ts
24
src/ge0.ts
|
|
@ -53,6 +53,25 @@ function normalizeZoom(zoom: string): number {
|
|||
return z;
|
||||
}
|
||||
|
||||
const htmlEntityCode = {
|
||||
' ': ' ',
|
||||
'¢': '¢',
|
||||
'£': '£',
|
||||
'¥': '¥',
|
||||
'€': '€',
|
||||
'©': '©',
|
||||
'®': '®',
|
||||
'<': '<',
|
||||
'>': '>',
|
||||
'"': '"',
|
||||
'&': '&',
|
||||
"'": ''',
|
||||
};
|
||||
|
||||
function encodeHTML(str: string) {
|
||||
return str.replace(/[\u00A0-\u9999<>\&''""]/gm, (i) => htmlEntityCode[i]);
|
||||
}
|
||||
|
||||
// Coordinates and zoom are validated separately.
|
||||
const CLEAR_COORDINATES_REGEX =
|
||||
/(?<lat>-?\d+\.\d+)[^\d.](?<lon>-?\d+\.\d+)(?:[^\d.](?<zoom>\d{1,2}))?(?:[^\d.](?<name>.+))?/;
|
||||
|
|
@ -81,7 +100,10 @@ export async function onGe0Decode(template: string, url: string): Promise<Respon
|
|||
const params = pathname.split('/').filter(Boolean);
|
||||
const encodedLatLonZoom = params[0];
|
||||
const llz = decodeLatLonZoom(encodedLatLonZoom);
|
||||
const [name, title] = normalizeNameAndTitle(params.length > 1 ? params[1] : undefined);
|
||||
let [name, title] = normalizeNameAndTitle(params.length > 1 ? params[1] : undefined);
|
||||
// XSS prevention.
|
||||
name = encodeHTML(name);
|
||||
title = encodeHTML(title);
|
||||
|
||||
template = replaceInTemplate(template, {
|
||||
...llz,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue