From b5d126016712a89063c791b9553bc9318e185218 Mon Sep 17 00:00:00 2001 From: Thomas Neirynck Date: Thu, 5 Dec 2019 15:55:26 -0500 Subject: [PATCH] [Coordinate map] Sanitize WMS attribution (#52309) Sanitize the WMS-attribution input before displaying it in the leaflet-attribution control. --- .../ui/public/vis/__tests__/map/kibana_map.js | 24 ++++++++++++++++++- src/legacy/ui/public/vis/map/kibana_map.js | 2 ++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/legacy/ui/public/vis/__tests__/map/kibana_map.js b/src/legacy/ui/public/vis/__tests__/map/kibana_map.js index e67d4b5f7603b..88718452d919a 100644 --- a/src/legacy/ui/public/vis/__tests__/map/kibana_map.js +++ b/src/legacy/ui/public/vis/__tests__/map/kibana_map.js @@ -251,7 +251,6 @@ describe('kibana_map tests', function () { kibanaMap.removeLayer(layer); expect(domNode.querySelectorAll('.leaflet-control-attribution')[0].innerHTML).to.equal('foo, bar'); - }); }); @@ -320,6 +319,29 @@ describe('kibana_map tests', function () { }); + it('WMS - should clean attribution', async function () { + + const options = { + url: 'https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer', + version: '1.1.0', + layers: '0', + format: 'image/png', + transparent: true, + attribution: '
foobar
', + styles: '', + minZoom: 1, + maxZoom: 18 + }; + + kibanaMap.setBaseLayer({ + baseLayerType: 'wms', + options: options + }); + + expect(domNode.querySelectorAll('.leaflet-control-attribution')[0].innerHTML).to.equal('<div>foobar</div>'); + + }); + }); diff --git a/src/legacy/ui/public/vis/map/kibana_map.js b/src/legacy/ui/public/vis/map/kibana_map.js index f92fc1c681d8a..dc57809b6570f 100644 --- a/src/legacy/ui/public/vis/map/kibana_map.js +++ b/src/legacy/ui/public/vis/map/kibana_map.js @@ -564,6 +564,8 @@ export class KibanaMap extends EventEmitter { let baseLayer; if (settings.baseLayerType === 'wms') { + //This is user-input that is rendered with the Leaflet attribution control. Needs to be sanitized. + this._baseLayerSettings.options.attribution = _.escape(settings.options.attribution); baseLayer = this._getWMSBaseLayer(settings.options); } else if (settings.baseLayerType === 'tms') { baseLayer = this._getTMSBaseLayer((settings.options));