Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix some XSS issues
Since OSM data, changeset comments and potentially even OSM usernames may
contain HTML code, it's better to use the textContent property to insert
such values, since innerHTML would result in interpretation of this HTML
code which might even result in the execution of JavaScript code [1].
The Underscore.js template is also affected by such issues, which can be
mitigated by using <%- instead of <%= for interpolations [2].

[1] https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML#Security_considerations
[2] http://underscorejs.org/#template
  • Loading branch information
mstock committed Feb 19, 2018
1 parent 6ee9600 commit 4bed3b3
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
4 changes: 2 additions & 2 deletions index.html
Expand Up @@ -26,8 +26,8 @@
</div>
<script id='changeset-template' type='template'>
<% var past_tense = { modify: 'modified', create: 'created', 'delete': 'deleted' }; %>
<p><a target='_blank' href='//openstreetmap.org/browse/changeset/<%=change.meta.changeset%>'><%=change.timetext%></a> <a target='_blank' href='//openstreetmap.org/user/<%= change.meta.user %>'><%= change.meta.user %></a>
<%= past_tense[change.type] %> <a target='_blank' href='//openstreetmap.org/browse/<%= change.meta.type %>/<%= change.meta.id %>'><%= change.tagtext %></a>
<p><a target='_blank' href='//openstreetmap.org/browse/changeset/<%-change.meta.changeset%>'><%-change.timetext%></a> <a target='_blank' href='//openstreetmap.org/user/<%- change.meta.user %>'><%- change.meta.user %></a>
<%- past_tense[change.type] %> <a target='_blank' href='//openstreetmap.org/browse/<%- change.meta.type %>/<%- change.meta.id %>'><%- change.tagtext %></a>
</p>
</script>
<script src='//cdnjs.cloudflare.com/ajax/libs/leaflet/0.5/leaflet.js'></script>
Expand Down
6 changes: 3 additions & 3 deletions js/site.js
Expand Up @@ -115,7 +115,7 @@ function showLocation(ll) {
crossOrigin: true,
type: 'json'
}, function(resp) {
document.getElementById('reverse-location').innerHTML =
document.getElementById('reverse-location').textContent =
'' + resp.display_name + '';
});
}
Expand Down Expand Up @@ -147,7 +147,7 @@ function fetchChangesetData(id, callback) {

function showComment(id) {
fetchChangesetData(id, function(err, changeset_data) {
document.getElementById('comment').innerHTML = changeset_data.comment + ' in ' + changeset_data.created_by;
document.getElementById('comment').textContent = changeset_data.comment + ' in ' + changeset_data.created_by;
});
}

Expand Down Expand Up @@ -186,7 +186,7 @@ osmStream.runFn(function(err, data) {
}, null, null, bboxString);

function doDrawWay() {
document.getElementById('queuesize').innerHTML = queue.length;
document.getElementById('queuesize').textContent = queue.length;
if (queue.length) {
var change = queue.pop();
var way = change.neu || change.old;
Expand Down

0 comments on commit 4bed3b3

Please sign in to comment.