From: John Firebaugh <john.firebaugh@gmail.com>
Date: Mon, 29 Jul 2013 18:30:58 +0000 (-0700)
Subject: Fix embed
X-Git-Tag: live~4803^2~16
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/f17304e8ed8490f8c80bd86ea0d78538ca46f589?ds=inline

Fix embed
---

diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js
index cbea58cc1..fc7cdb51c 100644
--- a/app/assets/javascripts/application.js
+++ b/app/assets/javascripts/application.js
@@ -113,6 +113,19 @@ function cookieContent(map) {
   return [center.lng, center.lat, map.getZoom(), map.getLayersCode()].join('|');
 }
 
+function escapeHTML(string) {
+  var htmlEscapes = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#x27;'
+  };
+  return string == null ? '' : (string + '').replace(/[&<>"']/g, function(match) {
+      return htmlEscapes[match];
+  });
+}
+
 /*
  * Forms which have been cached by rails may have the wrong
  * authenticity token, so patch up any forms with the correct
diff --git a/app/assets/javascripts/embed.js.erb b/app/assets/javascripts/embed.js.erb
index 57572ca48..50c294b41 100644
--- a/app/assets/javascripts/embed.js.erb
+++ b/app/assets/javascripts/embed.js.erb
@@ -5,12 +5,11 @@ window.onload = function () {
   var query = (window.location.search || '?').substr(1),
       args  = {};
 
-  query.replace(/([^&=]+)=?([^&]*)(?:&+|$)/g, function(match, key, value) {
-    value = value.split(",");
-    if (value.length == 1)
-      value = value[0];
-    args[key] = value;
-  });
+  var pairs = query.split('&');
+  for (var i = 0; i < pairs.length; i++) {
+    var parts = pairs[i].split('=');
+    args[parts[0]] = decodeURIComponent(parts[1] || '');
+  }
 
   var map = L.map("map");
   map.attributionControl.setPrefix('');
@@ -26,7 +25,7 @@ window.onload = function () {
   }
 
   if (args.marker) {
-    L.marker(args.marker, {icon: L.icon({
+    L.marker(args.marker.split(','), {icon: L.icon({
       iconUrl: <%= asset_path('images/marker-icon.png').to_json %>,
       iconSize: new L.Point(25, 41),
       iconAnchor: new L.Point(12, 41),
@@ -36,8 +35,9 @@ window.onload = function () {
   }
 
   if (args.bbox) {
-    map.fitBounds([L.latLng(args.bbox[1], args.bbox[0]),
-                   L.latLng(args.bbox[3], args.bbox[2])])
+    var bbox = args.bbox.split(',');
+    map.fitBounds([L.latLng(bbox[1], bbox[0]),
+                   L.latLng(bbox[3], bbox[2])])
   } else {
     map.fitWorld();
   }
diff --git a/app/assets/javascripts/leaflet.share.js b/app/assets/javascripts/leaflet.share.js
index 4264e5616..aef60d1cd 100644
--- a/app/assets/javascripts/leaflet.share.js
+++ b/app/assets/javascripts/leaflet.share.js
@@ -290,9 +290,9 @@ L.OSM.share = function (options) {
 
       $('#embed_html').val(
         '<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="' +
-          'http://' + OSM.SERVER_URL + '/export/embed.html?' + $.param(params) +
+          escapeHTML('http://' + OSM.SERVER_URL + '/export/embed.html?' + $.param(params)) +
           '" style="border: 1px solid black"></iframe><br/>' +
-          '<small><a href="' + map.getUrl(marker) + '</a></small>');
+          '<small><a href="' + escapeHTML(map.getUrl(marker)) + '</a></small>');
 
       // Image