]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/osm.pm
Reference CVE-2016-4561 in 3.20141016.3 changelog
[git.ikiwiki.info.git] / IkiWiki / Plugin / osm.pm
index f570f4032e00150ad7d57235f366925e8e47758e..472e26945a75575215218294c2a01cc68748bbf3 100644 (file)
@@ -192,6 +192,7 @@ sub process_waypoint {
                }
        }
        $icon = urlto($icon, $dest, 1);
                }
        }
        $icon = urlto($icon, $dest, 1);
+       $icon =~ s!/*$!!; # hack - urlto shouldn't be appending a slash in the first place
        $tag = '' unless $tag;
        register_rendered_files($map, $page, $dest);
        $pagestate{$page}{'osm'}{$map}{'waypoints'}{$name} = {
        $tag = '' unless $tag;
        register_rendered_files($map, $page, $dest);
        $pagestate{$page}{'osm'}{$map}{'waypoints'}{$name} = {
@@ -359,23 +360,29 @@ sub writekml($;$) {
        foreach my $map (keys %waypoints) {
                my $output;
                my $writer = XML::Writer->new( OUTPUT => \$output,
        foreach my $map (keys %waypoints) {
                my $output;
                my $writer = XML::Writer->new( OUTPUT => \$output,
-                       DATA_MODE => 1, ENCODING => 'UTF-8');
+                       DATA_MODE => 1, DATA_INDENT => ' ', ENCODING => 'UTF-8');
                $writer->xmlDecl();
                $writer->startTag("kml", "xmlns" => "http://www.opengis.net/kml/2.2");
                $writer->startTag("Document");
 
                # first pass: get the icons
                $writer->xmlDecl();
                $writer->startTag("kml", "xmlns" => "http://www.opengis.net/kml/2.2");
                $writer->startTag("Document");
 
                # first pass: get the icons
+               my %tags_map = (); # keep track of tags seen
                foreach my $name (keys %{$waypoints{$map}}) {
                        my %options = %{$waypoints{$map}{$name}};
                foreach my $name (keys %{$waypoints{$map}}) {
                        my %options = %{$waypoints{$map}{$name}};
-                       $writer->startTag("Style", id => $options{tag});
-                       $writer->startTag("IconStyle");
-                       $writer->startTag("Icon");
-                       $writer->startTag("href");
-                       $writer->characters($options{icon});
-                       $writer->endTag();
-                       $writer->endTag();
-                       $writer->endTag();
-                       $writer->endTag();
+                       if (!$tags_map{$options{tag}}) {
+                           debug("found new style " . $options{tag});
+                           $tags_map{$options{tag}} = ();
+                           $writer->startTag("Style", id => $options{tag});
+                           $writer->startTag("IconStyle");
+                           $writer->startTag("Icon");
+                           $writer->startTag("href");
+                           $writer->characters($options{icon});
+                           $writer->endTag();
+                           $writer->endTag();
+                           $writer->endTag();
+                           $writer->endTag();
+                       }
+                       $tags_map{$options{tag}}{$name} = \%options;
                }
        
                foreach my $name (keys %{$waypoints{$map}}) {
                }
        
                foreach my $name (keys %{$waypoints{$map}}) {
@@ -500,7 +507,7 @@ sub include_javascript ($) {
                }
        }
        if ($loader) {
                }
        }
        if ($loader) {
-               return embed_map_code($page) . "<script type=\"text/javascript\" charset=\"utf-8\">$loader</script>";
+               return embed_map_code($page) . "<script type=\"text/javascript\">$loader</script>";
        }
        else {
                return '';
        }
        else {
                return '';
@@ -527,7 +534,7 @@ sub cgi($) {
        print "<html><body>";
        print "<div id=\"mapdiv-$map\"></div>";
        print embed_map_code();
        print "<html><body>";
        print "<div id=\"mapdiv-$map\"></div>";
        print embed_map_code();
-       print "<script type=\"text/javascript\" charset=\"utf-8\">";
+       print "<script type=\"text/javascript\">";
        print map_setup_code($map, $map,
                lat => "urlParams['lat']",
                lon => "urlParams['lon']",
        print map_setup_code($map, $map,
                lat => "urlParams['lat']",
                lon => "urlParams['lon']",
@@ -582,6 +589,7 @@ sub map_setup_code($;@) {
        }
         $options{'layers'} = $config{osm_layers};
 
        }
         $options{'layers'} = $config{osm_layers};
 
+       $name=~s/'//g; # $name comes from user input
        return "mapsetup('mapdiv-$name', " . to_json(\%options) . ");";
 }
 
        return "mapsetup('mapdiv-$name', " . to_json(\%options) . ");";
 }