diff --git a/umap/static/umap/js/modules/utils.js b/umap/static/umap/js/modules/utils.js
index 5b18286e..4c6bfee3 100644
--- a/umap/static/umap/js/modules/utils.js
+++ b/umap/static/umap/js/modules/utils.js
@@ -70,7 +70,6 @@ export default function getPurify() {
export function escapeHTML(s) {
s = s ? s.toString() : ''
s = getPurify().sanitize(s, {
- USE_PROFILES: { html: true },
ADD_TAGS: ['iframe'],
ALLOWED_TAGS: [
'h3',
@@ -86,9 +85,10 @@ export function escapeHTML(s) {
'iframe',
'img',
'br',
+ 'span',
],
ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
- ALLOWED_ATTR: ['href', 'src', 'width', 'height'],
+ ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style'],
// Added: `geo:` URL scheme as defined in RFC5870:
// https://www.rfc-editor.org/rfc/rfc5870.html
// The base RegExp comes from:
diff --git a/umap/tests/integration/test_basics.py b/umap/tests/integration/test_basics.py
index 206cc785..0bf0e60b 100644
--- a/umap/tests/integration/test_basics.py
+++ b/umap/tests/integration/test_basics.py
@@ -45,3 +45,24 @@ def test_create_map_with_cursor(page, live_server, tilelayer):
"z-index: 200;"
),
)
+
+
+def test_cannot_put_script_tag_in_datalayer_name_or_description(
+ openmap, live_server, page, tilelayer
+):
+ page.goto(f"{live_server.url}{openmap.get_absolute_url()}")
+ page.get_by_role("button", name="Edit").click()
+ page.get_by_role("link", name="Manage layers").click()
+ page.get_by_role("button", name="Add a layer").click()
+ page.locator('input[name="name"]').click()
+ page.locator('input[name="name"]').fill('')
+ page.locator(".umap-field-description textarea").click()
+ page.locator(".umap-field-description textarea").fill(
+ 'before after
'
+ )
+ page.get_by_role("button", name="Save").click()
+ page.get_by_role("button", name="About").click()
+ # Title should contain raw HTML (we are using textContent)
+ expect(page.get_by_text('')).to_be_visible()
+ # Description should contain escaped HTML
+ expect(page.get_by_text("before after")).to_be_visible()