Leaflet Cross-Site Scripting Vulnerability in bindPopup() Method

A Cross-Site Scripting (XSS) vulnerability has been identified in Leaflet versions through 1.9.4. The issue arises in the bindPopup() method, which processes user input as raw HTML without proper sanitization. This flaw enables attackers to inject and execute arbitrary JavaScript in the context of the victim's browser session. The vulnerability is triggered when applications pass user-controlled data to bindPopup(), a common practice in web mapping applications that allow user annotations on map markers.

Impact

Exploitation of this vulnerability leads to Cross-Site Scripting, allowing injected scripts to run in the context of the user's browser session. This could result in session cookie theft, unauthorized actions on behalf of the user, redirection to malicious sites, injection of phishing content, or keystroke capture on the affected page.

Reproduction

To reproduce this vulnerability, use a Leaflet map and the bindPopup() method to add a popup with unvalidated user input. When the popup is opened, any injected JavaScript will execute. This vulnerability can also be reproduced with the bindTooltip() method or any other Leaflet method that renders user-supplied HTML without sanitization.

Remediation

Users are advised to sanitize all user input before passing it to the bindPopup() or bindTooltip() methods. This can be done using libraries like DOMPurify or by escaping HTML entities. Leaflet maintainers are encouraged to change the default behavior of bindPopup() to render content as plain text, require an explicit opt-in for HTML rendering, and implement built-in sanitization when HTML mode is enabled.