Fixes code scanning alerts

dkastl · dkastl · commit 8ab4d717a598 · 2024-07-04T13:23:38.000+09:00
Signed-off-by: Daniel Kastl &lt;daniel@georepublic.de&gt;
diff --git a/package.json b/package.json
@@ -22,18 +22,20 @@
   "dependencies": {
     "@juggle/resize-observer": "^3.4.0",
     "@mdi/font": "^7.4.47",
+    "dompurify": "^3.1.5",
     "fontfaceobserver": "^2.3.0",
     "geojson": "^0.5.0",
     "ol": "^9.1.0",
     "ol-ext": "^4.0.15",
     "ol-mapbox-style": "^12.3.4"
   },
   "devDependencies": {
+    "@types/dompurify": "^3.0.5",
     "@types/fontfaceobserver": "^2.1.3",
     "@types/geojson": "^7946.0.14",
+    "@types/google.maps": "^3.55.11",
     "@types/jquery": "^3.5.30",
     "@types/jqueryui": "^1.12.23",
-    "@types/google.maps": "^3.55.11",
     "@types/ol-ext": "npm:@siedlerchr/types-ol-ext",
     "css-loader": "^7.1.2",
     "sass": "^1.77.6",
diff --git a/src/components/gtt-client/init/controls.ts b/src/components/gtt-client/init/controls.ts
@@ -8,6 +8,7 @@ import Target from 'ol-ext/control/Target';
 import Hover from  'ol-ext/interaction/Hover';
 import Notification from 'ol-ext/control/Notification';
 import { position } from 'ol-ext/control/control';
+import DOMPurify from 'dompurify';
 
 import { radiansToDegrees, degreesToRadians, parseHistory, formatLength, formatArea } from "../helpers";
 import { zoomToExtent, setGeolocation, setView, setControls, setPopover } from "../openlayers";
@@ -43,7 +44,8 @@ function setSearchControl(instance: any): void {
         // Add copy to clipboard functionality, if available
         if (navigator.clipboard) {
           // strip htmls from response title
-          const text = response.title.replace(/<[^>]*>?/gm, '');
+          const sanitizedTitle = DOMPurify.sanitize(response.title, { ALLOWED_TAGS: [] });
+          const text = sanitizedTitle.replace(/<[^>]*>?/gm, '');
           navigator.clipboard.writeText(text);
           instance.map.notification.show(instance.i18n.control.copied_location_to_clipboard);
         }
diff --git a/src/components/gtt-client/openlayers/index.ts b/src/components/gtt-client/openlayers/index.ts
@@ -443,11 +443,22 @@ export function setPopover() {
     template: {
       title: (ftr: any) => {
         const popup_contents = JSON.parse(this.contents.popup);
-        const url = popup_contents.href.replace(/\[(.+?)\]/g, ftr.get('id'));
         const subject = ftr.get('subject');
         const displaySubject = subject.length > 25 ? `${subject.substring(0, 22)}…` : subject;
+
+        const replacePlaceholders = (str: string, replacement: string): string => {
+          return str.split('[').map(part => {
+            const endIndex = part.indexOf(']');
+            if (endIndex !== -1) {
+              return replacement + part.substring(endIndex + 1);
+            }
+            return part;
+          }).join('');
+        };
+
+        const url = replacePlaceholders(popup_contents.href, ftr.get('id'));
         return `${displaySubject} <a href="${url}"><i class="mdi mdi-arrow-right-circle-outline"></i></a>`;
-      },
+        },
       attributes: {}
     }
   });
diff --git a/tsconfig.json b/tsconfig.json
@@ -12,6 +12,7 @@
     // "esModuleInterop": true,
     // "skipLibCheck": true,
     // "sourceMap": true,
+    "allowSyntheticDefaultImports": true,
     "paths": {
       "*": ["@types/*"]
     }
diff --git a/yarn.lock b/yarn.lock
@@ -109,6 +109,13 @@
   resolved "https://registry.npmjs.org/@petamoriken/float16/-/float16-3.8.0.tgz"
   integrity sha512-AhVAm6SQ+zgxIiOzwVdUcDmKlu/qU39FiYD2UD6kQQaVenrn0dGZewIghWAENGQsvC+1avLCuT+T2/3Gsp/W3w==
 
+"@types/dompurify@^3.0.5":
+  version "3.0.5"
+  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-3.0.5.tgz#02069a2fcb89a163bacf1a788f73cb415dd75cb7"
+  integrity sha512-1Wg0g3BtQF7sSb27fJQAKck1HECM6zV1EB66j8JH9i3LCjYabJa0FSdiSgsD5K/RbrsR0SiraKacLB+T8ZVYAg==
+  dependencies:
+    "@types/trusted-types" "*"
+
 "@types/eslint-scope@^3.7.3":
   version "3.7.4"
   resolved "https://registry.npmjs.org/@types/eslint-scope/-/eslint-scope-3.7.4.tgz"
@@ -191,6 +198,11 @@
   resolved "https://registry.npmjs.org/@types/sizzle/-/sizzle-2.3.3.tgz"
   integrity sha512-JYM8x9EGF163bEyhdJBpR2QX1R5naCJHC8ucJylJ3w9/CVBaskdQ8WqBf8MmQrd1kRvp/a4TS8HJ+bxzR7ZJYQ==
 
+"@types/trusted-types@*":
+  version "2.0.7"
+  resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.7.tgz#baccb07a970b91707df3a3e8ba6896c57ead2d11"
+  integrity sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==
+
 "@webassemblyjs/ast@1.12.1", "@webassemblyjs/ast@^1.12.1":
   version "1.12.1"
   resolved "https://registry.yarnpkg.com/@webassemblyjs/ast/-/ast-1.12.1.tgz#bb16a0e8b1914f979f45864c23819cc3e3f0d4bb"
@@ -531,6 +543,11 @@ cssesc@^3.0.0:
   resolved "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz"
   integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
 
+dompurify@^3.1.5:
+  version "3.1.5"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.1.5.tgz#2c6a113fc728682a0f55684b1388c58ddb79dc38"
+  integrity sha512-lwG+n5h8QNpxtyrJW/gJWckL+1/DQiYMX8f7t8Z2AZTPw1esVrqjI63i7Zc2Gz0aKzLVMYC1V1PL/ky+aY/NgA==
+
 earcut@^2.2.3:
   version "2.2.4"
   resolved "https://registry.npmjs.org/earcut/-/earcut-2.2.4.tgz"

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`// "esModuleInterop": true,`
`13`	`13`	`// "skipLibCheck": true,`
`14`	`14`	`// "sourceMap": true,`
	`15`	`+ "allowSyntheticDefaultImports": true,`
`15`	`16`	`"paths": {`
`16`	`17`	`"": ["@types/"]`
`17`	`18`	`}`