From f95dd1c94df8340ab60d392b890c390322ed2237 Mon Sep 17 00:00:00 2001
From: Mathis Hofer <hofer@puzzle.ch>
Date: Thu, 12 Mar 2026 11:36:46 +0100
Subject: [PATCH] fix: Escape custom attribution to avoid XSS #67

---
 CHANGELOG.md                          | 1 +
 app/charts/map/custom-attribution.tsx | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ee6e87f54..95e94696a8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ You can also check the
 ## Unreleased
 
 - Fixes
+  - Fix XSS vulnerability caused by unescaped map layer attributions
   - Allow GraphQL endpoint to return larger responses by increasing the response
     limit to 20 MB
 
diff --git a/app/charts/map/custom-attribution.tsx b/app/charts/map/custom-attribution.tsx
index 869a1293c7..8e76bb4fb9 100644
--- a/app/charts/map/custom-attribution.tsx
+++ b/app/charts/map/custom-attribution.tsx
@@ -20,7 +20,7 @@ export const CustomAttribution = ({ attribution }: { attribution: string }) => {
     const control = new maplibregl.AttributionControl({
       // className was not working (?), so style is used. To revisit later if needed.
       customAttribution: attribution
-        ? `<span style="color: ${theme.palette.error.main}">${attribution}</span>`
+        ? `<span style="color: ${escapeHtml(theme.palette.error.main)}">${escapeHtml(attribution)}</span>`
         : undefined,
     });
 
@@ -39,3 +39,9 @@ export const CustomAttribution = ({ attribution }: { attribution: string }) => {
 
   return null;
 };
+
+function escapeHtml(text: string): string {
+  const div = document.createElement("div");
+  div.textContent = text;
+  return div.innerHTML;
+}