Fix reflected XSS in 'key' parameter. Fixes #461

src/serve_style.js

@@ -17,7 +17,7 @@ const fixUrl = (req, url, publicUrl, opt_nokey) => {
   }
   const queryParams = [];
   if (!opt_nokey && req.query.key) {
-    queryParams.unshift(`key=${req.query.key}`);
+    queryParams.unshift(`key=${encodeURIComponent(req.query.key)}`);
   }
   let query = '';
   if (queryParams.length) {

src/server.js

@@ -243,7 +243,7 @@ function start(opts) {
 
   app.get('/styles.json', (req, res, next) => {
     const result = [];
-    const query = req.query.key ? (`?key=${req.query.key}`) : '';
+    const query = req.query.key ? (`?key=${encodeURIComponent(req.query.key)}`) : '';
     for (const id of Object.keys(serving.styles)) {
       const styleJSON = serving.styles[id].styleJSON;
       result.push({
@@ -319,8 +319,8 @@ function start(opts) {
           data['public_url'] = opts.publicUrl || '/';
           data['is_light'] = isLight;
           data['key_query_part'] =
-            req.query.key ? `key=${req.query.key}&` : '';
-          data['key_query'] = req.query.key ? `?key=${req.query.key}` : '';
+            req.query.key ? `key=${encodeURIComponent(req.query.key)}&` : '';
+          data['key_query'] = req.query.key ? `?key=${encodeURIComponent(req.query.key)}` : '';
           if (template === 'wmts') res.set('Content-Type', 'text/xml');
           return res.status(200).send(compiled(data));
         });

src/utils.js

@@ -40,7 +40,7 @@ module.exports.getTileUrls = (req, domains, path, format, publicUrl, aliases) =>
   const key = req.query.key;
   const queryParams = [];
   if (req.query.key) {
-    queryParams.push(`key=${req.query.key}`);
+    queryParams.push(`key=${encodeURIComponent(req.query.key)}`);
   }
   if (req.query.style) {
     queryParams.push(`style=${req.query.style}`);