Merge pull request #944 from mapbox/as/fix-xss-vuln

Fix XSS Vulnerability & Sanitize with DOMPurify

Author: AndrewSepic

package-lock.json

@@ -32,6 +32,7 @@
     "csv2geojson": "5.1.2",
     "d3": "3.5.17",
     "d3-metatable": "0.3.0",
+    "dompurify": "^3.3.1",
     "escape-html": "^1.0.1",
     "file-saver": "2.0.5",
     "geojson-flatten": "^1.0.4",
@@ -86,7 +87,6 @@
     "test-browser": "browserify test/index.js | testling",
     "start": "concurrently --kill-others --names live-server rollup \"live-server --ignore=\"$PWD/src/**,$PWD/dist/**,$PWD/.git\"\" \"rollup -cw\" \"npx tailwindcss -i $PWD/src/css/tailwind_src.css -o $PWD/dist/css/tailwind_dist.css --watch\"",
     "build": "rimraf dist && npx tailwindcss -i ./src/css/tailwind_src.css -o ./dist/css/tailwind_dist.css && rollup -c",
-    "build:next": "cd next && npm ci && npm run build",
     "serve": "cd dist && live-server"
   },
   "overrides": {

package.json

@@ -2,6 +2,7 @@ const mapboxgl = require('mapbox-gl');
 const escape = require('escape-html');
 const length = require('@turf/length').default;
 const area = require('@turf/area').default;
+const DOMPurify = require('dompurify');
 
 const popup = require('../../lib/popup');
 const ClickableMarker = require('./clickable_marker');
@@ -113,7 +114,8 @@ const addMarkers = (geojson, context, writable) => {
     const color =
       (d.properties && d.properties['marker-color']) || defaultColor;
     const symbolColor =
-      (d.properties && d.properties['symbol-color']) || defaultSymbolColor;
+      (d.properties && DOMPurify.sanitize(d.properties['symbol-color'])) ||
+      defaultSymbolColor;
 
     let scale = 1;
     if (d.properties && d.properties['marker-size']) {