-
Notifications
You must be signed in to change notification settings - Fork 647
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix xss due to handlebars variables in javascript #535
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -5,10 +5,10 @@ | |||||
<meta name="viewport" content="width=device-width, initial-scale=1"> | ||||||
<title>{{name}} - TileServer GL</title> | ||||||
{{#is_vector}} | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl.css{{&key_query}}" /> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl-inspect.css{{&key_query}}" /> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl.js{{&key_query}}"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-compat.js{{&key_query}}"><\/script>'); }</script> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl-inspect.min.js{{&key_query}}"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-inspect-compat.min.js{{&key_query}}"><\/script>'); }</script> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl.css" /> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl-inspect.css" /> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl.js"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-compat.js"><\/script>'); }</script> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl-inspect.min.js"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-inspect-compat.min.js"><\/script>'); }</script> | ||||||
<style> | ||||||
body {background:#fff;color:#333;font-family:Arial, sans-serif;} | ||||||
#map {position:absolute;top:0;left:0;right:250px;bottom:0;} | ||||||
|
@@ -18,10 +18,10 @@ | |||||
</style> | ||||||
{{/is_vector}} | ||||||
{{^is_vector}} | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}leaflet.css{{&key_query}}" /> | ||||||
<script src="{{public_url}}leaflet.js{{&key_query}}"></script> | ||||||
<script src="{{public_url}}leaflet-hash.js{{&key_query}}"></script> | ||||||
<script src="{{public_url}}L.TileLayer.NoGap.js{{&key_query}}"></script> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}leaflet.css" /> | ||||||
<script src="{{public_url}}leaflet.js"></script> | ||||||
<script src="{{public_url}}leaflet-hash.js"></script> | ||||||
<script src="{{public_url}}L.TileLayer.NoGap.js"></script> | ||||||
<style> | ||||||
body { margin:0; padding:0; } | ||||||
#map { position:absolute; top:0; bottom:0; width:100%; } | ||||||
|
@@ -35,6 +35,9 @@ | |||||
<div id="layerList"></div> | ||||||
<pre id="propertyList"></pre> | ||||||
<script> | ||||||
var keyMatch = location.search.match(/[\?\&]key=([^&]+)/i); | ||||||
var keyParam = keyMatch ? '?key=' + keyMatch[1] : ''; | ||||||
|
||||||
var map = new maplibregl.Map({ | ||||||
container: 'map', | ||||||
hash: true, | ||||||
|
@@ -44,7 +47,7 @@ | |||||
sources: { | ||||||
'vector_layer_': { | ||||||
type: 'vector', | ||||||
url: '{{public_url}}data/{{id}}.json{{&key_query}}' | ||||||
url: '{{public_url}}data/{{id}}.json' + keyParam | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
} | ||||||
}, | ||||||
layers: [] | ||||||
|
@@ -76,11 +79,14 @@ | |||||
<h1 style="display:none;">{{name}}</h1> | ||||||
<div id='map'></div> | ||||||
<script> | ||||||
var keyMatch = location.search.match(/[\?\&]key=([^&]+)/i); | ||||||
var keyParam = keyMatch ? '?key=' + keyMatch[1] : ''; | ||||||
|
||||||
var map = L.map('map', { zoomControl: false }); | ||||||
new L.Control.Zoom({ position: 'topright' }).addTo(map); | ||||||
|
||||||
var tile_urls = [], tile_attribution, tile_minzoom, tile_maxzoom; | ||||||
var url = '{{public_url}}data/{{id}}.json{{&key_query}}'; | ||||||
var url = '{{public_url}}data/{{id}}.json' + keyParam; | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
var req = new XMLHttpRequest(); | ||||||
req.overrideMimeType("application/json"); | ||||||
req.open('GET', url, true); | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -4,14 +4,14 @@ | |||||
<meta charset="UTF-8"> | ||||||
<meta name="viewport" content="width=device-width, initial-scale=1"> | ||||||
<title>{{name}} - TileServer GL</title> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl.css{{&key_query}}" /> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl-inspect.css{{&key_query}}" /> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}leaflet.css{{&key_query}}" /> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl.js{{&key_query}}"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-compat.js{{&key_query}}"><\/script>'); }</script> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl-inspect.min.js{{&key_query}}"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-inspect-compat.min.js{{&key_query}}"><\/script>'); }</script> | ||||||
<script src="{{public_url}}leaflet.js{{&key_query}}"></script> | ||||||
<script src="{{public_url}}leaflet-hash.js{{&key_query}}"></script> | ||||||
<script src="{{public_url}}L.TileLayer.NoGap.js{{&key_query}}"></script> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl.css" /> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}maplibre-gl-inspect.css" /> | ||||||
<link rel="stylesheet" type="text/css" href="{{public_url}}leaflet.css" /> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl.js"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-compat.js"><\/script>'); }</script> | ||||||
<script>if (typeof Symbol !== 'undefined') { document.write('<script src="{{public_url}}maplibre-gl-inspect.min.js"><\/script>'); } else { document.write('<script src="{{public_url}}maplibre-gl-inspect-compat.min.js"><\/script>'); }</script> | ||||||
<script src="{{public_url}}leaflet.js"></script> | ||||||
<script src="{{public_url}}leaflet-hash.js"></script> | ||||||
<script src="{{public_url}}L.TileLayer.NoGap.js"></script> | ||||||
<style> | ||||||
body { margin:0; padding:0; } | ||||||
#map { position:absolute; top:0; bottom:0; width:100%; } | ||||||
|
@@ -26,11 +26,15 @@ | |||||
q.indexOf('vector') >= 0 ? 'vector' : | ||||||
(q.indexOf('raster') >= 0 ? 'raster' : | ||||||
(maplibregl.supported() ? 'vector' : 'raster')); | ||||||
|
||||||
var keyMatch = location.search.match(/[\?\&]key=([^&]+)/i); | ||||||
var keyParam = keyMatch ? '?key=' + keyMatch[1] : ''; | ||||||
|
||||||
if (preference == 'vector') { | ||||||
maplibregl.setRTLTextPlugin('{{public_url}}mapbox-gl-rtl-text.js{{&key_query}}'); | ||||||
maplibregl.setRTLTextPlugin('{{public_url}}mapbox-gl-rtl-text.js' + keyParam); | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
var map = new maplibregl.Map({ | ||||||
container: 'map', | ||||||
style: '{{public_url}}styles/{{id}}/style.json{{&key_query}}', | ||||||
style: '{{public_url}}styles/{{id}}/style.json' + keyParam, | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
hash: true, | ||||||
maplibreLogo: true | ||||||
}); | ||||||
|
@@ -49,7 +53,7 @@ | |||||
new L.Control.Zoom({ position: 'topright' }).addTo(map); | ||||||
|
||||||
var tile_urls = [], tile_attribution, tile_minzoom, tile_maxzoom; | ||||||
var url = '{{public_url}}styles/{{id}}.json{{&key_query}}'; | ||||||
var url = '{{public_url}}styles/{{id}}.json' + keyParam; | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
var req = new XMLHttpRequest(); | ||||||
req.overrideMimeType("application/json"); | ||||||
req.open('GET', url, true); | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uhh, this is causing issue with serving the static assets via a proxy (Kong) 😭 as
query
has a customaccess_key
which is required in each request served.