From 10431d70d0f0d7b7950ae2c02aea0850c7566621 Mon Sep 17 00:00:00 2001
From: Daniel Korp <daniel.korp@bikecitizens.net>
Date: Thu, 2 Jul 2020 09:30:33 +0200
Subject: [PATCH] Fix reflected XSS in 'key' parameter. Fixes #461

---
 src/serve_style.js | 2 +-
 src/server.js      | 6 +++---
 src/utils.js       | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/serve_style.js b/src/serve_style.js
index ca441db..fb75ad8 100644
--- a/src/serve_style.js
+++ b/src/serve_style.js
@@ -17,7 +17,7 @@ const fixUrl = (req, url, publicUrl, opt_nokey) => {
   }
   const queryParams = [];
   if (!opt_nokey && req.query.key) {
-    queryParams.unshift(`key=${req.query.key}`);
+    queryParams.unshift(`key=${encodeURIComponent(req.query.key)}`);
   }
   let query = '';
   if (queryParams.length) {
diff --git a/src/server.js b/src/server.js
index 6b258e0..59de3cd 100644
--- a/src/server.js
+++ b/src/server.js
@@ -243,7 +243,7 @@ function start(opts) {
 
   app.get('/styles.json', (req, res, next) => {
     const result = [];
-    const query = req.query.key ? (`?key=${req.query.key}`) : '';
+    const query = req.query.key ? (`?key=${encodeURIComponent(req.query.key)}`) : '';
     for (const id of Object.keys(serving.styles)) {
       const styleJSON = serving.styles[id].styleJSON;
       result.push({
@@ -319,8 +319,8 @@ function start(opts) {
           data['public_url'] = opts.publicUrl || '/';
           data['is_light'] = isLight;
           data['key_query_part'] =
-            req.query.key ? `key=${req.query.key}&amp;` : '';
-          data['key_query'] = req.query.key ? `?key=${req.query.key}` : '';
+            req.query.key ? `key=${encodeURIComponent(req.query.key)}&amp;` : '';
+          data['key_query'] = req.query.key ? `?key=${encodeURIComponent(req.query.key)}` : '';
           if (template === 'wmts') res.set('Content-Type', 'text/xml');
           return res.status(200).send(compiled(data));
         });
diff --git a/src/utils.js b/src/utils.js
index 41cfeac..95c90c5 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -40,7 +40,7 @@ module.exports.getTileUrls = (req, domains, path, format, publicUrl, aliases) =>
   const key = req.query.key;
   const queryParams = [];
   if (req.query.key) {
-    queryParams.push(`key=${req.query.key}`);
+    queryParams.push(`key=${encodeURIComponent(req.query.key)}`);
   }
   if (req.query.style) {
     queryParams.push(`style=${req.query.style}`);