Skip to content

SGEO-2914: Sanitize HTML output for place_name #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 28, 2025
Merged

SGEO-2914: Sanitize HTML output for place_name #547

merged 3 commits into from
Aug 28, 2025

Conversation

leah-9000
Copy link
Contributor

@leah-9000 leah-9000 commented Aug 27, 2025
edited
Loading

Fixes XSS when rendering place_name.

https://mapbox.atlassian.net/browse/SGEO-2914

Note that bumping the version number for package and CHANGELOG are deferred to another PR, according to these deployment instructions.

  • briefly describe the changes in this PR
  • write tests for all new functionality
  • run npm run docs and commit changes to API.md (no changes)
  • update CHANGELOG.md with changes under main heading before merging

@leah-9000 leah-9000 marked this pull request as ready for review August 27, 2025 21:41
@leah-9000 leah-9000 requested review from a team, ibesora and underoot August 27, 2025 21:50
ir-map
ir-map reviewed Aug 27, 2025
View reviewed changes
lib/index.js
@@ -93,6 +93,16 @@ function MapboxGeocoder(options) {
this.geolocation = new Geolocation();
}

function escapeHtml(str) {
if (!str) return '';
return String(str)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to include / as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. Without the preceding <, the slash is a harmless character.

ir-map
ir-map approved these changes Aug 27, 2025
View reviewed changes
Copy link

@ir-map ir-map left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@underoot underoot merged commit e7111df into main Aug 28, 2025
4 checks passed
@underoot underoot mentioned this pull request Aug 28, 2025
Merged
@underoot
Copy link
Member

Fix was published https://github.com/mapbox/mapbox-gl-geocoder/releases/tag/v5.1.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@underoot underoot underoot approved these changes

@ir-map ir-map ir-map approved these changes

@ibesora ibesora Awaiting requested review from ibesora

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@leah-9000 @underoot @ir-map