Fix embed

diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js
index cbea58cc17628bc6f4daf90c432c635f8546df67..fc7cdb51c548e829702714e9e119cfccd6ba01ec 100644 (file)
--- a/app/assets/javascripts/application.js
+++ b/app/assets/javascripts/application.js
@@ -113,6 +113,19 @@ function cookieContent(map) {
   return [center.lng, center.lat, map.getZoom(), map.getLayersCode()].join('|');
 }
 
+function escapeHTML(string) {
+  var htmlEscapes = {
+    '&': '&',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#x27;'
+  };
+  return string == null ? '' : (string + '').replace(/[&<>"']/g, function(match) {
+      return htmlEscapes[match];
+  });
+}
+
 /*
  * Forms which have been cached by rails may have the wrong
  * authenticity token, so patch up any forms with the correct

diff --git a/app/assets/javascripts/embed.js.erb b/app/assets/javascripts/embed.js.erb
index 57572ca48ff31dee1cd998d5312c6886443f37fb..50c294b41b0da937e3d09d8ec5e030b115d9f0e8 100644 (file)
--- a/app/assets/javascripts/embed.js.erb
+++ b/app/assets/javascripts/embed.js.erb
@@ -5,12 +5,11 @@ window.onload = function () {
   var query = (window.location.search || '?').substr(1),
       args  = {};
 
-  query.replace(/([^&=]+)=?([^&]*)(?:&+|$)/g, function(match, key, value) {
-    value = value.split(",");
-    if (value.length == 1)
-      value = value[0];
-    args[key] = value;
-  });
+  var pairs = query.split('&');
+  for (var i = 0; i < pairs.length; i++) {
+    var parts = pairs[i].split('=');
+    args[parts[0]] = decodeURIComponent(parts[1] || '');
+  }
 
   var map = L.map("map");
   map.attributionControl.setPrefix('');
@@ -26,7 +25,7 @@ window.onload = function () {
   }
 
   if (args.marker) {
-    L.marker(args.marker, {icon: L.icon({
+    L.marker(args.marker.split(','), {icon: L.icon({
       iconUrl: <%= asset_path('images/marker-icon.png').to_json %>,
       iconSize: new L.Point(25, 41),
       iconAnchor: new L.Point(12, 41),
@@ -36,8 +35,9 @@ window.onload = function () {
   }
 
   if (args.bbox) {
-    map.fitBounds([L.latLng(args.bbox[1], args.bbox[0]),
-                   L.latLng(args.bbox[3], args.bbox[2])])
+    var bbox = args.bbox.split(',');
+    map.fitBounds([L.latLng(bbox[1], bbox[0]),
+                   L.latLng(bbox[3], bbox[2])])
   } else {
     map.fitWorld();
   }

diff --git a/app/assets/javascripts/leaflet.share.js b/app/assets/javascripts/leaflet.share.js
index 4264e56161f1c921b94163f3d8cf5a629da67963..aef60d1cd9b735d942daf951689222cf68800764 100644 (file)
--- a/app/assets/javascripts/leaflet.share.js
+++ b/app/assets/javascripts/leaflet.share.js
@@ -290,9 +290,9 @@ L.OSM.share = function (options) {
 
       $('#embed_html').val(
         '<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="' +
-          'http://' + OSM.SERVER_URL + '/export/embed.html?' + $.param(params) +
+          escapeHTML('http://' + OSM.SERVER_URL + '/export/embed.html?' + $.param(params)) +
           '" style="border: 1px solid black"></iframe><br/>' +
-          '<small><a href="' + map.getUrl(marker) + '</a></small>');
+          '<small><a href="' + escapeHTML(map.getUrl(marker)) + '</a></small>');
 
       // Image