diff --git a/umap/static/umap/js/umap.core.js b/umap/static/umap/js/umap.core.js
index 66f23061..4e0be38a 100644
--- a/umap/static/umap/js/umap.core.js
+++ b/umap/static/umap/js/umap.core.js
@@ -46,6 +46,7 @@ L.Util.escapeHTML = (s) => {
s = s ? s.toString() : ''
s = DOMPurify.sanitize(s, {
USE_PROFILES: { html: true },
+ ADD_TAGS: ['iframe'],
ALLOWED_TAGS: [
'h3',
'h4',
@@ -61,7 +62,8 @@ L.Util.escapeHTML = (s) => {
'img',
'br',
],
- ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'],
+ ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
+ ALLOWED_ATTR: ['href', 'src', 'width', 'height'],
})
return s
}
diff --git a/umap/static/umap/test/Util.js b/umap/static/umap/test/Util.js
index 836be108..f6e9382d 100644
--- a/umap/static/umap/test/Util.js
+++ b/umap/static/umap/test/Util.js
@@ -38,49 +38,49 @@ describe('L.Util', function () {
it('should handle links without formatting', function () {
assert.equal(
L.Util.toHTML('A simple http://osm.org link'),
- 'A simple http://osm.org link'
+ 'A simple http://osm.org link'
)
})
it('should handle simple link in title', function () {
assert.equal(
L.Util.toHTML('# http://osm.org'),
- ''
+ ''
)
})
it('should handle links with url parameter', function () {
assert.equal(
L.Util.toHTML('A simple https://osm.org/?url=https%3A//anotherurl.com link'),
- 'A simple https://osm.org/?url=https%3A//anotherurl.com link'
+ 'A simple https://osm.org/?url=https%3A//anotherurl.com link'
)
})
it('should handle simple link inside parenthesis', function () {
assert.equal(
L.Util.toHTML('A simple link (http://osm.org)'),
- 'A simple link (http://osm.org)'
+ 'A simple link (http://osm.org)'
)
})
it('should handle simple link with formatting', function () {
assert.equal(
L.Util.toHTML('A simple [[http://osm.org]] link'),
- 'A simple http://osm.org link'
+ 'A simple http://osm.org link'
)
})
it('should handle simple link with formatting and content', function () {
assert.equal(
L.Util.toHTML('A simple [[http://osm.org|link]]'),
- 'A simple link'
+ 'A simple link'
)
})
it('should handle simple link followed by a carriage return', function () {
assert.equal(
L.Util.toHTML('A simple link http://osm.org\nAnother line'),
- 'A simple link http://osm.org
\nAnother line'
+ 'A simple link http://osm.org
\nAnother line'
)
})
@@ -108,28 +108,28 @@ describe('L.Util', function () {
it('should handle iframe', function () {
assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html}}}'),
- 'A simple iframe: '
+ 'A simple iframe: '
)
})
it('should handle iframe with height', function () {
assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200}}}'),
- 'A simple iframe: '
+ 'A simple iframe: '
)
})
it('should handle iframe with height and width', function () {
assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200*400}}}'),
- 'A simple iframe: '
+ 'A simple iframe: '
)
})
it('should handle iframe with height with px', function () {
assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200px}}}'),
- 'A simple iframe: '
+ 'A simple iframe: '
)
})
@@ -138,7 +138,7 @@ describe('L.Util', function () {
L.Util.toHTML(
'A simple iframe: {{{https://osm.org/?url=https%3A//anotherurl.com}}}'
),
- 'A simple iframe: '
+ 'A simple iframe: '
)
})
@@ -147,7 +147,7 @@ describe('L.Util', function () {
L.Util.toHTML(
'A double iframe: {{{https://osm.org/pouet}}}{{{https://osm.org/boudin}}}'
),
- 'A double iframe: '
+ 'A double iframe: '
)
})
@@ -156,14 +156,14 @@ describe('L.Util', function () {
L.Util.toHTML(
'A phrase with a [[http://iframeurl.com?to=http://another.com]].'
),
- 'A phrase with a http://iframeurl.com?to=http://another.com.'
+ 'A phrase with a http://iframeurl.com?to=http://another.com.'
)
})
})
describe('#escapeHTML', function () {
it('should escape HTML tags', function () {
- assert.equal(L.Util.escapeHTML(''), '<a href="pouet">')
+ assert.equal(L.Util.escapeHTML(''), '')
})
it('should not fail with int value', function () {