Merge pull request #1141 from umap-project/1140-allow-geo-scheme

Allow `geo:` scheme in (description) links
2023-06-14 19:01:43 +02:00 · 2023-06-14 19:01:43 +02:00 · 0076614ee8
commit 0076614ee8
parent 186480ea01 8400d9f03a
2 changed files with 13 additions and 0 deletions
--- a/umap/static/umap/js/umap.core.js
+++ b/umap/static/umap/js/umap.core.js
@ -64,6 +64,12 @@ L.Util.escapeHTML = (s) => {
    ],
    ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
    ALLOWED_ATTR: ['href', 'src', 'width', 'height'],
+    // Added: `geo:` URL scheme as defined in RFC5870:
+    // https://www.rfc-editor.org/rfc/rfc5870.html
+    // The base RegExp comes from:
+    // https://github.com/cure53/DOMPurify/blob/main/src/regexp.js#L10
+    ALLOWED_URI_REGEXP:
+      /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|geo):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
  })
  return s
 }
--- a/umap/static/umap/test/Util.js
+++ b/umap/static/umap/test/Util.js
@ -166,6 +166,13 @@ describe('L.Util', function () {
      assert.equal(L.Util.escapeHTML('<span onload="alert(oups)">'), '<span></span>')
    })

+    it('should not escape geo: links', function () {
+      assert.equal(
+        L.Util.escapeHTML('<a href="geo:1,2"></a>'),
+        '<a href="geo:1,2"></a>'
+      )
+    })
+
    it('should not fail with int value', function () {
      assert.equal(L.Util.escapeHTML(25), '25')
    })