From 5b9746066ce5a162daad68d2228b94d6334f1ede Mon Sep 17 00:00:00 2001
From: David Larlet <david@larlet.fr>
Date: Mon, 6 May 2024 18:26:05 -0400
Subject: [PATCH] fix: allow `dir` and `title` attributes

Fix #1796
---
 umap/static/umap/js/modules/utils.js | 2 +-
 umap/static/umap/unittests/utils.js  | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/umap/static/umap/js/modules/utils.js b/umap/static/umap/js/modules/utils.js
index 340d1122..f5c36a31 100644
--- a/umap/static/umap/js/modules/utils.js
+++ b/umap/static/umap/js/modules/utils.js
@@ -88,7 +88,7 @@ export function escapeHTML(s) {
       'span',
     ],
     ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
-    ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style'],
+    ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style', 'dir', 'title'],
     // Added: `geo:` URL scheme as defined in RFC5870:
     // https://www.rfc-editor.org/rfc/rfc5870.html
     // The base RegExp comes from:
diff --git a/umap/static/umap/unittests/utils.js b/umap/static/umap/unittests/utils.js
index 4624b273..c405b4d4 100644
--- a/umap/static/umap/unittests/utils.js
+++ b/umap/static/umap/unittests/utils.js
@@ -185,6 +185,13 @@ describe('Utils', function () {
       assert.equal(Utils.escapeHTML('<a href="geo:1,2"></a>'), '<a href="geo:1,2"></a>')
     })
 
+    it('should not escape dir and title attributes', function () {
+      assert.equal(
+        Utils.escapeHTML('<a title="Title" dir="rtl"></a>'),
+        '<a dir="rtl" title="Title"></a>'
+      )
+    })
+
     it('should not fail with int value', function () {
       assert.equal(Utils.escapeHTML(25), '25')
     })