From fedb083612a9505a0c18a42855764bdc0babe9e4 Mon Sep 17 00:00:00 2001 From: Yohan Boniface Date: Wed, 1 May 2024 16:22:49 +0200 Subject: [PATCH] chore: be more explicit on what HTML we allow when escaping --- umap/static/umap/js/modules/utils.js | 4 ++-- umap/tests/integration/test_basics.py | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/umap/static/umap/js/modules/utils.js b/umap/static/umap/js/modules/utils.js index 5b18286e..4c6bfee3 100644 --- a/umap/static/umap/js/modules/utils.js +++ b/umap/static/umap/js/modules/utils.js @@ -70,7 +70,6 @@ export default function getPurify() { export function escapeHTML(s) { s = s ? s.toString() : '' s = getPurify().sanitize(s, { - USE_PROFILES: { html: true }, ADD_TAGS: ['iframe'], ALLOWED_TAGS: [ 'h3', @@ -86,9 +85,10 @@ export function escapeHTML(s) { 'iframe', 'img', 'br', + 'span', ], ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'], - ALLOWED_ATTR: ['href', 'src', 'width', 'height'], + ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style'], // Added: `geo:` URL scheme as defined in RFC5870: // https://www.rfc-editor.org/rfc/rfc5870.html // The base RegExp comes from: diff --git a/umap/tests/integration/test_basics.py b/umap/tests/integration/test_basics.py index 206cc785..0bf0e60b 100644 --- a/umap/tests/integration/test_basics.py +++ b/umap/tests/integration/test_basics.py @@ -45,3 +45,24 @@ def test_create_map_with_cursor(page, live_server, tilelayer): "z-index: 200;" ), ) + + +def test_cannot_put_script_tag_in_datalayer_name_or_description( + openmap, live_server, page, tilelayer +): + page.goto(f"{live_server.url}{openmap.get_absolute_url()}") + page.get_by_role("button", name="Edit").click() + page.get_by_role("link", name="Manage layers").click() + page.get_by_role("button", name="Add a layer").click() + page.locator('input[name="name"]').click() + page.locator('input[name="name"]').fill('') + page.locator(".umap-field-description textarea").click() + page.locator(".umap-field-description textarea").fill( + '

before after

' + ) + page.get_by_role("button", name="Save").click() + page.get_by_role("button", name="About").click() + # Title should contain raw HTML (we are using textContent) + expect(page.get_by_text('')).to_be_visible() + # Description should contain escaped HTML + expect(page.get_by_text("before after")).to_be_visible()