Skip to content
Permalink
Browse files Browse the repository at this point in the history
security fix xss: escape all special html characters before inserting…
… them in a map marker

Uses the he library (https://github.com/mathiasbynens/he) for encoding the string.
No markup is now possible in the mtext URL parameter. Linebreaks (\n) are converted to <br/> after encoding.
  • Loading branch information
aAXEe committed Oct 19, 2015
1 parent ca9e794 commit 8649157
Show file tree
Hide file tree
Showing 2 changed files with 333 additions and 1 deletion.
5 changes: 4 additions & 1 deletion index.php
Expand Up @@ -31,6 +31,7 @@
<script type="text/javascript" src="./javascript/bing.js"></script>
<script type="text/javascript" src="./javascript/ais.js"></script>
<script type="text/javascript" src="./javascript/satpro.js"></script>
<script type="text/javascript" src="./javascript/lib/he.js"></script>
<script type="text/javascript" src="./javascript/waterdepth-trackpoints.js"></script>
<script type="text/javascript">

Expand Down Expand Up @@ -137,7 +138,9 @@ function init() {
layerId: 2
});
map.addLayer(layer_marker);
addMarker(layer_marker, mLon, mLat, decodeURIComponent(getArgument("mtext")).replace(/\n/g, '<br/>'));
var mtext = he.encode(decodeURIComponent(getArgument("mtext"))).replace(/\n/g, '<br/>')
console.log("mtext: "+mtext)
addMarker(layer_marker, mLon, mLat, mtext);
}
}catch(err) {
console.log(err)
Expand Down

0 comments on commit 8649157

Please sign in to comment.