Skip to content

Resolved 2/2 "Unsafe HTML construction in leaflet library input"
Compare
Choose a tag to compare
@Stassi Stassi released this 05 Oct 07:24
· 414 commits to main since this release
v0.0.37
3ce96b5

Changelog: v0.0.36...v0.0.37
Pull request: #37
Resolves potential vulnerability (2 of 2): Unsafe HTML construction in leaflet library input

Resolution to potential vulnerability (2 of 2)

The leaflet library was found constructing HTML dynamically based on potentially unsafe input, which could allow attackers to inject untrusted HTML or scripts into the web page, leading to a cross-site scripting (XSS) vulnerability.

View the full security disclosure at the project's security policy document.

Solution

innerHTML attribute mutations in client-side leaflet tutorials are sanitized by wrapping "dirty" values in DOMPurify.sanitize(...), fully resolving the potential vulnerability.

Update required

If any project requires a version of @stassi/leaflet prior to v0.0.37, run npm update immediately to ensure the latest security updates are received.

Assets 2
Loading