CodeQL alerts #24 and #25 (rated High) point at vendor/leaflet-elevation/leaflet-elevation.js line 1132. The chained .replace() calls each take a string argument, so only the first occurrence is replaced and stray characters survive in waypoint marker class names.
The output is a CSS class set via DOM property assignment (not HTML interpolation), and GPX uploads are admin-only, so there's no exploit path in Ferd today.
Patch proposed upstream in Raruto/leaflet-elevation#308. When it merges and we re-vendor, the alerts will close.
CodeQL alerts #24 and #25 (rated High) point at
vendor/leaflet-elevation/leaflet-elevation.jsline 1132. The chained.replace()calls each take a string argument, so only the first occurrence is replaced and stray characters survive in waypoint marker class names.The output is a CSS class set via DOM property assignment (not HTML interpolation), and GPX uploads are admin-only, so there's no exploit path in Ferd today.
Patch proposed upstream in Raruto/leaflet-elevation#308. When it merges and we re-vendor, the alerts will close.