Sanitize marker tooltips on server for extra safety (in addition to M…

…apbox.js sanitization)
heyjobs · Jun 3, 2020 · a5f60d2 · a5f60d2
1 parent 482db1a
commit a5f60d2
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/app/controllers/blazer/queries_controller.rb b/app/controllers/blazer/queries_controller.rb
@@ -249,7 +249,9 @@ def render_run
                 r[lat_index] && r[lon_index]
               end.map do |r|
                 {
-                  title: r.each_with_index.map{ |v, i| i == lat_index || i == lon_index ? nil : "<strong>#{@columns[i]}:</strong> #{v}" }.compact.join("<br />").truncate(140),
+                  # Mapbox.js does sanitization with https://github.com/mapbox/sanitize-caja
+                  # but we should do it here as well
+                  title: r.each_with_index.map { |v, i| i == lat_index || i == lon_index ? nil : "<strong>#{ERB::Util.html_escape(@columns[i])}:</strong> #{ERB::Util.html_escape(v)}" }.compact.join("<br />").truncate(140),
                   latitude: r[lat_index],
                   longitude: r[lon_index]
                 }