From 8bf34987442076f94ae68ddf849681760f69b4b9 Mon Sep 17 00:00:00 2001
From: Xaver Maierhofer <xaver.maierhofer@xwissen.info>
Date: Mon, 6 Aug 2018 17:50:57 +0200
Subject: [PATCH] [TASK] Prevent XSS in tooltip

---
 lib/map/labellayer.js | 4 ++--
 lib/utils/helper.js   | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/map/labellayer.js b/lib/map/labellayer.js
index a32ce9c..63ff62e 100644
--- a/lib/map/labellayer.js
+++ b/lib/map/labellayer.js
@@ -87,7 +87,7 @@ define(['leaflet', 'rbush', 'helper', 'moment'],
         m.on('click', function () {
           router.fullUrl({ node: d.node_id });
         });
-        m.bindTooltip(d.hostname);
+        m.bindTooltip(helper.escape(d.hostname));
 
         dict[d.node_id] = m;
 
@@ -114,7 +114,7 @@ define(['leaflet', 'rbush', 'helper', 'moment'],
           line.setStyle(opts);
         };
 
-        line.bindTooltip(d.source.hostname + ' – ' + d.target.hostname +
+        line.bindTooltip(helper.escape(d.source.hostname + ' – ' + d.target.hostname) +
           '<br><strong>' + helper.showDistance(d) + ' / ' + helper.showTq(d.source_tq) + ' - ' + helper.showTq(d.target_tq) + '<br>' + d.type + '</strong>');
 
         line.on('click', function () {
diff --git a/lib/utils/helper.js b/lib/utils/helper.js
index 429f4eb..41f7b1c 100644
--- a/lib/utils/helper.js
+++ b/lib/utils/helper.js
@@ -196,5 +196,11 @@ define({
         btn.classList.add('ion-full-enter');
       }
     }
+  },
+  escape: function escape(string) {
+    return string.replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&#34;')
+      .replace(/'/g, '&#39;');
   }
 });
-- 
GitLab