implemented several security measures when parsing GET input to the site

WebContent/main.js

@@ -176,41 +176,50 @@ function initMap() {
 // parse URL GET parameters if any exist
 function checkURL(){
 	var called_url = document.location.search.substr(1,document.location.search.length);
-	if( called_url != '') {
+	
-		var positions = [];
+	// reject messages that are clearly too long or too small 
-		
+	if( called_url.length > 1000 || called_url.length == 0)
-		var destination = undefined;
+		return;
-		var destination_name = undefined;
+	
+	// storage for parameter values
+	var positions = [];
+	var destination = undefined;
+	var destination_name = undefined;
 
-		// parse input (currently only parses start, dest, via)
+	// parse input
-		var splitted_url = called_url.split('&');
+	var splitted_url = called_url.split('&');
-		for(var i=0; i<splitted_url.length; i++) {
+	for(var i=0; i<splitted_url.length; i++) {
-			var name_val = splitted_url[i].split('=');
+		var name_val = splitted_url[i].split('=');
-			if(name_val.length!=2)
+		if(name_val.length!=2)
-				continue;
+			continue;
-				
+			
-			if(name_val[0] == 'loc') {
+		if(name_val[0] == 'loc') {
-				var coordinates = unescape(name_val[1]).split(',');
+			var coordinates = unescape(name_val[1]).split(',');
-				if(coordinates.length==2)
+			if(coordinates.length!=2 || !isLatitude(coordinates[0]) || !isLongitude(coordinates[1]) )
-					positions.push ( new L.LatLng( coordinates[0], coordinates[1]) );
+				return;
-			}
+			positions.push ( new L.LatLng( coordinates[0], coordinates[1]) );
-			else if(name_val[0] == 'dest') {
-				var coordinates = unescape(name_val[1]).split(',');
-				if(coordinates.length==2)				
-					destination = new L.LatLng( coordinates[0], coordinates[1]);
-			}
-			else if(name_val[0] == 'destname')
-				destination_name = name_val[1];			
 		}
+		else if(name_val[0] == 'dest') {
+			var coordinates = unescape(name_val[1]).split(',');
+			if(coordinates.length!=2 || !isLatitude(coordinates[0]) || !isLongitude(coordinates[1]) )
+				return;				
+			destination = new L.LatLng( coordinates[0], coordinates[1]);
+		}
+		else if(name_val[0] == 'destname') {
+			destination_name = decodeURI(name_val[1]).replace(/<\/?[^>]+(>|$)/g ,"");	// discard tags	
+		}
+	}
 		
-		// destination given
+	// case 1: destination given
-		if( destination != undefined ) {
+	if( destination != undefined ) {
-			onclickGeocoderResult("target", destination.lat, destination.lng, (destination_name == undefined) );
+		onclickGeocoderResult("target", destination.lat, destination.lng, (destination_name == undefined) );
-			if( destination_name != undefined )
+		if( destination_name != undefined )
-				document.getElementById("input-target-name").value = decodeURI(destination_name);
+			document.getElementById("input-target-name").value = destination_name;
-			return;
+		return;
-		}
+	}
 
+	// case 2: locations given
+	if( positions != []) {
 		// draw via points
 		if( positions.length > 0)
 			my_markers.setSource( positions[0] );
@@ -220,10 +229,10 @@ function checkURL(){
 			my_markers.setVia( i-1, positions[i] );
 		for(var i=0; i<my_markers.route.length;i++)
 			my_markers.route[i].show();
-		
+			
 		// compute route
 		getRoute(OSRM.FULL_DESCRIPTION);
-		
+			
 		// center on route
 		var bounds = new L.LatLngBounds( positions );
 		map.fitBounds( bounds );

WebContent/utils.js

@@ -50,6 +50,22 @@ function getDistanceWithUnit(distance){
 	else{ return distance+' ' + 'm'; }
 }
 
+//------------------------------------------------------
+
+// verify angles
+function isLatitude(value) {
+	if( value >=-90 && value <=90)
+		return true;
+	else
+		return false;
+}
+function isLongitude(value) {
+	if( value >=-180 && value <=180)
+		return true;
+	else
+		return false;
+}
+
 // ------------------------------------------------------
 
 // distance between two points