From 3122286c8e9808fab42c5aa1a5783675075e2b6b Mon Sep 17 00:00:00 2001
From: David Larlet <david@larlet.fr>
Date: Fri, 19 May 2023 15:29:14 -0400
Subject: [PATCH] Use DOMPurify in `escapeHTML()` for a global impact

---
 umap/static/umap/js/umap.core.js | 41 ++++++++++++++++----------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/umap/static/umap/js/umap.core.js b/umap/static/umap/js/umap.core.js
index a7554350..66f23061 100644
--- a/umap/static/umap/js/umap.core.js
+++ b/umap/static/umap/js/umap.core.js
@@ -44,7 +44,26 @@ L.Util.setNullableBooleanFromQueryString = (options, name) => {
 }
 L.Util.escapeHTML = (s) => {
   s = s ? s.toString() : ''
-  return s.replace(/</gm, '&lt;')
+  s = DOMPurify.sanitize(s, {
+    USE_PROFILES: { html: true },
+    ALLOWED_TAGS: [
+      'h3',
+      'h4',
+      'h5',
+      'hr',
+      'strong',
+      'em',
+      'ul',
+      'li',
+      'a',
+      'div',
+      'iframe',
+      'img',
+      'br',
+    ],
+    ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'],
+  })
+  return s
 }
 L.Util.toHTML = (r) => {
   if (!r) return ''
@@ -106,25 +125,7 @@ L.Util.toHTML = (r) => {
   // Preserver line breaks
   if (newline) r = r.replace(new RegExp(newline + '(?=[^]+)', 'g'), '<br>' + newline)
 
-  r = DOMPurify.sanitize(r, {
-    USE_PROFILES: { html: true },
-    ALLOWED_TAGS: [
-      'h3',
-      'h4',
-      'h5',
-      'hr',
-      'strong',
-      'em',
-      'ul',
-      'li',
-      'a',
-      'div',
-      'iframe',
-      'img',
-      'br',
-    ],
-    ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'],
-  })
+  r = L.Util.escapeHTML(r)
 
   return r
 }