chore: be more explicit on what HTML we allow when escaping

umap/static/umap/js/modules/utils.js

@@ -70,7 +70,6 @@ export default function getPurify() {
 export function escapeHTML(s) {
   s = s ? s.toString() : ''
   s = getPurify().sanitize(s, {
-    USE_PROFILES: { html: true },
     ADD_TAGS: ['iframe'],
     ALLOWED_TAGS: [
       'h3',
@@ -86,9 +85,10 @@ export function escapeHTML(s) {
       'iframe',
       'img',
       'br',
+      'span',
     ],
     ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
-    ALLOWED_ATTR: ['href', 'src', 'width', 'height'],
+    ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style'],
     // Added: `geo:` URL scheme as defined in RFC5870:
     // https://www.rfc-editor.org/rfc/rfc5870.html
     // The base RegExp comes from:

umap/tests/integration/test_basics.py

@@ -45,3 +45,24 @@ def test_create_map_with_cursor(page, live_server, tilelayer):
             "z-index: 200;"
         ),
     )
+
+
+def test_cannot_put_script_tag_in_datalayer_name_or_description(
+    openmap, live_server, page, tilelayer
+):
+    page.goto(f"{live_server.url}{openmap.get_absolute_url()}")
+    page.get_by_role("button", name="Edit").click()
+    page.get_by_role("link", name="Manage layers").click()
+    page.get_by_role("button", name="Add a layer").click()
+    page.locator('input[name="name"]').click()
+    page.locator('input[name="name"]').fill('<script>alert("attack")</script>')
+    page.locator(".umap-field-description textarea").click()
+    page.locator(".umap-field-description textarea").fill(
+        '<p>before <script>alert("attack")</script> after</p>'
+    )
+    page.get_by_role("button", name="Save").click()
+    page.get_by_role("button", name="About").click()
+    # Title should contain raw HTML (we are using textContent)
+    expect(page.get_by_text('<script>alert("attack")</script>')).to_be_visible()
+    # Description should contain escaped HTML
+    expect(page.get_by_text("before after")).to_be_visible()