From 9348350ba3ba1c23aa6273f1eeafe0346a306ba6 Mon Sep 17 00:00:00 2001
From: Boon Boonsiri <35120291+boonboonsiri@users.noreply.github.com>
Date: Thu, 12 Oct 2023 01:22:51 -0400
Subject: [PATCH] Allow base 64 url as images for static maps (#1007)

* allow base-64 url as images

* Add option to config

* Refactoring

* Update docs

* feat: added base64 url images lint

Signed-off-by: Boon Boonsiri <bboonsir@uwaterloo.ca>

---------

Signed-off-by: Boon Boonsiri <bboonsir@uwaterloo.ca>
---
 docs/config.rst       | 7 +++++++
 src/serve_rendered.js | 9 +++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/docs/config.rst b/docs/config.rst
index 648957f..e61bb1c 100644
--- a/docs/config.rst
+++ b/docs/config.rst
@@ -157,6 +157,13 @@ Allows the rendering of marker icons fetched via http(s) hyperlinks.
 For security reasons only allow this if you can control the origins from where the markers are fetched!
 Default is to disallow fetching of icons from remote sources.
 
+``allowInlineMarkerImages``
+--------------
+Allows the rendering of inline marker icons or base64 urls.
+For security reasons only allow this if you can control the origins from where the markers are fetched!
+Not used by default.
+
+
 ``styles``
 ==========
 
diff --git a/src/serve_rendered.js b/src/serve_rendered.js
index dd57016..78648d5 100644
--- a/src/serve_rendered.js
+++ b/src/serve_rendered.js
@@ -279,7 +279,10 @@ const extractMarkersFromQuery = (query, options, transformer) => {
     let iconURI = markerParts[1];
     // Check if icon is served via http otherwise marker icons are expected to
     // be provided as filepaths relative to configured icon path
-    if (!(iconURI.startsWith('http://') || iconURI.startsWith('https://'))) {
+    const isRemoteURL =
+      iconURI.startsWith('http://') || iconURI.startsWith('https://');
+    const isDataURL = iconURI.startsWith('data:');
+    if (!(isRemoteURL || isDataURL)) {
       // Sanitize URI with sanitize-filename
       // https://www.npmjs.com/package/sanitize-filename#details
       iconURI = sanitize(iconURI);
@@ -292,7 +295,9 @@ const extractMarkersFromQuery = (query, options, transformer) => {
       iconURI = path.resolve(options.paths.icons, iconURI);
 
       // When we encounter a remote icon check if the configuration explicitly allows them.
-    } else if (options.allowRemoteMarkerIcons !== true) {
+    } else if (isRemoteURL && options.allowRemoteMarkerIcons !== true) {
+      continue;
+    } else if (isDataURL && options.allowInlineMarkerImages !== true) {
       continue;
     }