From 3c56d5a5aca0f3c72306a1114e44db93022a6ad8 Mon Sep 17 00:00:00 2001 From: leah-9000 <2700877+leah-9000@users.noreply.github.com> Date: Wed, 27 Aug 2025 14:26:41 -0700 Subject: [PATCH 1/3] sanitize HTML output for place_name --- lib/index.js | 12 +++++++++++- test/test.geocoder.js | 16 ++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/lib/index.js b/lib/index.js index 971eea1d..23eabdbd 100644 --- a/lib/index.js +++ b/lib/index.js @@ -93,6 +93,16 @@ function MapboxGeocoder(options) { this.geolocation = new Geolocation(); } +function escapeHtml(str) { + if (!str) return ''; + return String(str) + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, '''); +} + MapboxGeocoder.prototype = { options: { zoom: 16, @@ -116,7 +126,7 @@ MapboxGeocoder.prototype = { return item.place_name }, render: function(item) { - var placeName = item.place_name.split(','); + var placeName = escapeHtml(item.place_name).split(','); return '
' + placeName[0]+ '
' + placeName.splice(1, placeName.length).join(',') + '
'; } }, diff --git a/test/test.geocoder.js b/test/test.geocoder.js index 5dcdc7d2..922d408c 100644 --- a/test/test.geocoder.js +++ b/test/test.geocoder.js @@ -40,6 +40,22 @@ test('geocoder', function(tt) { t.end(); }); + tt.test('rendered place name is HTML-sanitized', function(t){ + t.plan(2); + + const html = ''; // should not render this as-is! + const escapedHtml = '<script>alert(1)</script>'; + + var fixture = { + id: 'abc123', + place_name: html + } + + const rendered = geocoder.options.render(fixture); + t.ok(rendered.indexOf(html) === -1, 'rendered result does not contain original dangerous HTML'); + t.ok(rendered.indexOf(escapedHtml) > 0, 'rendered result contains escaped version of HTML'); + }) + tt.test('set/get input', function(t) { t.plan(4) setup({ proximity: { longitude: -79.45, latitude: 43.65 } }); From 74afc6f25b5ebc5c12ac9aae8da1dc063c6a2fa6 Mon Sep 17 00:00:00 2001 From: leah-9000 <2700877+leah-9000@users.noreply.github.com> Date: Wed, 27 Aug 2025 14:36:36 -0700 Subject: [PATCH 2/3] update version, changelog --- CHANGELOG.md | 6 ++++++ package.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aec1538c..0f4103fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## HEAD +## 5.1.2 + +### Bug fixes 🐛 + +- Fix potential XSS when rendering place name [#547](https://github.com/mapbox/mapbox-gl-geocoder/pull/547) + ## 5.1.1 ### Dependency update diff --git a/package.json b/package.json index d06ba3ee..2b692621 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@mapbox/mapbox-gl-geocoder", - "version": "5.1.1", + "version": "5.1.2", "description": "A geocoder control for Mapbox GL JS", "main": "lib/index.js", "unpkg": "dist/mapbox-gl-geocoder.min.js", From c7fb73bfaa53ef9764c19e769b191c94743889e9 Mon Sep 17 00:00:00 2001 From: leah-9000 <2700877+leah-9000@users.noreply.github.com> Date: Wed, 27 Aug 2025 14:46:46 -0700 Subject: [PATCH 3/3] modify changelog, undo version per deployment instructions --- CHANGELOG.md | 2 -- package.json | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0f4103fe..052a11fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,5 @@ ## HEAD -## 5.1.2 - ### Bug fixes 🐛 - Fix potential XSS when rendering place name [#547](https://github.com/mapbox/mapbox-gl-geocoder/pull/547) diff --git a/package.json b/package.json index 2b692621..d06ba3ee 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@mapbox/mapbox-gl-geocoder", - "version": "5.1.2", + "version": "5.1.1", "description": "A geocoder control for Mapbox GL JS", "main": "lib/index.js", "unpkg": "dist/mapbox-gl-geocoder.min.js",