From ce36be810e354a838971bd385994481f0ba03903 Mon Sep 17 00:00:00 2001
From: Michael Nutt <michael@nuttnet.net>
Date: Wed, 7 Apr 2021 21:18:23 -0400
Subject: [PATCH] fix xss due to handlebars variables in javascript

---
 public/templates/viewer.tmpl | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/public/templates/viewer.tmpl b/public/templates/viewer.tmpl
index c233f63..e4257fa 100644
--- a/public/templates/viewer.tmpl
+++ b/public/templates/viewer.tmpl
@@ -26,11 +26,14 @@
       q.indexOf('vector') >= 0 ? 'vector' :
         (q.indexOf('raster') >= 0 ? 'raster' :
           (maplibregl.supported() ? 'vector' : 'raster'));
+    var keyMatch = location.search.match(/[\?\&]key=([^&]+)/i);
+    var key = keyMatch ? '?key=' + keyMatch[1] : '';
+
     if (preference == 'vector') {
-      maplibregl.setRTLTextPlugin('{{public_url}}mapbox-gl-rtl-text.js{{&key_query}}');
+      maplibregl.setRTLTextPlugin('{{public_url}}mapbox-gl-rtl-text.js' + key);
       var map = new maplibregl.Map({
         container: 'map',
-        style: '{{public_url}}styles/{{id}}/style.json{{&key_query}}',
+        style: '{{public_url}}styles/{{id}}/style.json' + key,
         hash: true,
         maplibreLogo: true
       });
@@ -49,7 +52,7 @@
 		new L.Control.Zoom({ position: 'topright' }).addTo(map);
 		
 		var tile_urls = [], tile_attribution, tile_minzoom, tile_maxzoom;
-		var url = '{{public_url}}styles/{{id}}.json{{&key_query}}';
+		var url = '{{public_url}}styles/{{id}}.json' + key;
 		var req = new XMLHttpRequest();
 		req.overrideMimeType("application/json");
 		req.open('GET', url, true);