From 038bfe29d636628e25e2efaa072ab55bda3b2ad7 Mon Sep 17 00:00:00 2001
From: Daniel Korp <daniel.korp@bikecitizens.net>
Date: Thu, 2 Jul 2020 10:28:25 +0200
Subject: [PATCH] Fix reflected XSS in 'style' parameter

---
 src/utils.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/utils.js b/src/utils.js
index 95c90c5..6037e20 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -43,7 +43,7 @@ module.exports.getTileUrls = (req, domains, path, format, publicUrl, aliases) =>
     queryParams.push(`key=${encodeURIComponent(req.query.key)}`);
   }
   if (req.query.style) {
-    queryParams.push(`style=${req.query.style}`);
+    queryParams.push(`style=${encodeURIComponent(req.query.style)}`);
   }
   const query = queryParams.length > 0 ? (`?${queryParams.join('&')}`) : '';