diff --git a/DynmapCore/src/main/java/org/dynmap/Client.java b/DynmapCore/src/main/java/org/dynmap/Client.java index 3241be40..8d0b178d 100644 --- a/DynmapCore/src/main/java/org/dynmap/Client.java +++ b/DynmapCore/src/main/java/org/dynmap/Client.java @@ -286,11 +286,12 @@ public class Client { } private static PolicyFactory sanitizer = null; + private static PolicyFactory OLDTAGS = new HtmlPolicyBuilder().allowElements("center", "basefont").toFactory(); public static String sanitizeHTML(String html) { PolicyFactory s = sanitizer; if (s == null) { // Generous but safe html formatting allowances - s = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES); + s = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES).and(OLDTAGS); sanitizer = s; } return s.sanitize(html); diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java index c51bd304..c314564a 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java @@ -3328,10 +3328,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mi = MarkerAPIImpl.getMarkerIconImpl(MarkerIcon.DEFAULT); mdata.put("icon", mi.getMarkerIconID()); mdata.put("dim", mi.getMarkerIconSize().getSize()); - mdata.put("label", m.getLabel()); + mdata.put("label", Client.sanitizeHTML(m.getLabel())); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", m.getDescription()); + mdata.put("desc", Client.sanitizeHTML(m.getDescription())); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); } @@ -3364,10 +3364,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mdata.put("opacity", m.getLineOpacity()); mdata.put("fillopacity", m.getFillOpacity()); mdata.put("weight", m.getLineWeight()); - mdata.put("label", m.getLabel()); + mdata.put("label", Client.sanitizeHTML(m.getLabel())); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", m.getDescription()); + mdata.put("desc", Client.sanitizeHTML(m.getDescription())); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); } @@ -3399,10 +3399,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mdata.put("color", String.format("#%06X", m.getLineColor())); mdata.put("opacity", m.getLineOpacity()); mdata.put("weight", m.getLineWeight()); - mdata.put("label", m.getLabel()); + mdata.put("label", Client.sanitizeHTML(m.getLabel())); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", m.getDescription()); + mdata.put("desc", Client.sanitizeHTML(m.getDescription())); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); } @@ -3429,10 +3429,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mdata.put("opacity", m.getLineOpacity()); mdata.put("fillopacity", m.getFillOpacity()); mdata.put("weight", m.getLineWeight()); - mdata.put("label", m.getLabel()); + mdata.put("label", Client.sanitizeHTML(m.getLabel())); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", m.getDescription()); + mdata.put("desc", Client.sanitizeHTML(m.getDescription())); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); }