fix: use modern URL() and also update data viewer against XSS

Signed-off-by: Michael Nutt <michael@nuttnet.net>
maptiler · Jan 18, 2023 · e879ecd · e879ecd
1 parent 2172de3
commit e879ecd
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/public/templates/data.tmpl b/public/templates/data.tmpl
@@ -35,6 +35,10 @@
   <div id="layerList"></div>
   <pre id="propertyList"></pre>
   <script>
+  const { searchParams } = new URL(document.location);
+  const accessKey = searchParams.get('key');
+  const keyParam = accessKey ? `?key=${accessKey}` : '';
+
   var map = new maplibregl.Map({
     container: 'map',
     hash: true,
@@ -44,7 +48,7 @@
       sources: {
         'vector_layer_': {
           type: 'vector',
-          url: '{{public_url}}data/{{id}}.json{{&key_query}}'
+          url: '{{public_url}}data/{{id}}.json' + keyParam
         }
       },
       layers: []
@@ -76,11 +80,15 @@
   <h1 style="display:none;">{{name}}</h1>
   <div id='map'></div>
   <script>
+  const { searchParams } = new URL(document.location);
+  const accessKey = searchParams.get('key');
+  const keyParam = accessKey ? `?key=${accessKey}` : '';
+
 	var map = L.map('map', { zoomControl: false });
 	new L.Control.Zoom({ position: 'topright' }).addTo(map);
 
 	var tile_urls = [], tile_attribution, tile_minzoom, tile_maxzoom;
-	var url = '{{public_url}}data/{{id}}.json{{&key_query}}';
+	var url = '{{public_url}}data/{{id}}.json' + keyParam;
 	var req = new XMLHttpRequest();
 	req.overrideMimeType("application/json");
 	req.open('GET', url, true);

diff --git a/public/templates/viewer.tmpl b/public/templates/viewer.tmpl
@@ -26,14 +26,16 @@
       q.indexOf('vector') >= 0 ? 'vector' :
         (q.indexOf('raster') >= 0 ? 'raster' :
           (maplibregl.supported() ? 'vector' : 'raster'));
-    var keyMatch = location.search.match(/[\?\&]key=([^&]+)/i);
-    var key = keyMatch ? '?key=' + keyMatch[1] : '';
+
+    const { searchParams } = new URL(document.location);
+    const accessKey = searchParams.get('key');
+    const keyParam = accessKey ? `?key=${accessKey}` : '';
 
     if (preference == 'vector') {
-      maplibregl.setRTLTextPlugin('{{public_url}}mapbox-gl-rtl-text.js' + key);
+      maplibregl.setRTLTextPlugin('{{public_url}}mapbox-gl-rtl-text.js' + keyParam);
       var map = new maplibregl.Map({
         container: 'map',
-        style: '{{public_url}}styles/{{id}}/style.json' + key,
+        style: '{{public_url}}styles/{{id}}/style.json' + keyParam,
         hash: true,
         maplibreLogo: true
       });
@@ -52,7 +54,7 @@
 		new L.Control.Zoom({ position: 'topright' }).addTo(map);
 
 		var tile_urls = [], tile_attribution, tile_minzoom, tile_maxzoom;
-		var url = '{{public_url}}styles/{{id}}.json' + key;
+		var url = '{{public_url}}styles/{{id}}.json' + keyParam;
 		var req = new XMLHttpRequest();
 		req.overrideMimeType("application/json");
 		req.open('GET', url, true);