From 72e41d37037f911cc393194c22b7a40c8a154f72 Mon Sep 17 00:00:00 2001
From: Lutz Helm <helm@ub.uni-leipzig.de>
Date: Fri, 3 May 2019 15:02:11 +0200
Subject: [PATCH] Remove attribution generation from IIIFInfo

Generating attributions by injecting 3rd party HTML content introduces
XSS vulnerabilities, so with regard to upcoming Image API changes this
functionality is removed.
See also
https://github.com/openlayers/openlayers/pull/9430#issuecomment-482610729
---
 src/ol/format/IIIFInfo.js | 24 ++++--------------------
 1 file changed, 4 insertions(+), 20 deletions(-)

diff --git a/src/ol/format/IIIFInfo.js b/src/ol/format/IIIFInfo.js
index 6d23f237f9..6c05e66ef0 100644
--- a/src/ol/format/IIIFInfo.js
+++ b/src/ol/format/IIIFInfo.js
@@ -131,20 +131,7 @@ function generateVersion2Options(iiifInfo) {
       additionalProfile = Array.isArray(iiifInfo.imageInfo.profile) && iiifInfo.imageInfo.profile.length > 1,
       profileSupports = additionalProfile && iiifInfo.imageInfo.profile[1].supports ? iiifInfo.imageInfo.profile[1].supports : [],
       profileFormats = additionalProfile && iiifInfo.imageInfo.profile[1].formats ? iiifInfo.imageInfo.profile[1].formats : [],
-      profileQualities = additionalProfile && iiifInfo.imageInfo.profile[1].qualities ? iiifInfo.imageInfo.profile[1].qualities : [],
-      attributions = [];
-  if (iiifInfo.imageInfo.attribution !== undefined) {
-    // TODO potentially dangerous
-    attributions.push(iiifInfo.imageInfo.attribution);
-  }
-  if (iiifInfo.imageInfo.license !== undefined) {
-    let license = iiifInfo.imageInfo.license;
-    if (license.match(/^http(s)?:\/\//g)) {
-      license = '<a href="' + encodeURI(license) + '"/>' + encodeURI(license) + '</a>';
-    }
-    // TODO potentially dangerous
-    attributions.push(license);
-  }
+      profileQualities = additionalProfile && iiifInfo.imageInfo.profile[1].qualities ? iiifInfo.imageInfo.profile[1].qualities : [];
   return {
     url: iiifInfo.imageInfo['@id'].replace(/\/?(info.json)?$/g, ''),
     sizes: iiifInfo.imageInfo.sizes === undefined ? undefined : iiifInfo.imageInfo.sizes.map(function(size) {
@@ -164,8 +151,7 @@ function generateVersion2Options(iiifInfo) {
       })[0],
     supports: [...levelProfile.supports, ...profileSupports],
     formats: [...levelProfile.formats, ...profileFormats],
-    qualities: [...levelProfile.qualities, ...profileQualities],
-    attributions: attributions.length == 0 ? undefined : attributions
+    qualities: [...levelProfile.qualities, ...profileQualities]
   };
 }
 
@@ -196,8 +182,7 @@ function generateVersion3Options(iiifInfo) {
       [...levelProfile.supports, ...iiifInfo.imageInfo.extraQualities],
     maxWidth: undefined,
     maxHeight: undefined,
-    maxArea: undefined,
-    attributions: undefined
+    maxArea: undefined
   };
 }
 
@@ -358,8 +343,7 @@ class IIIFInfo {
       resolutions: Array.isArray(imageOptions.resolutions) ? imageOptions.resolutions.sort(function(a, b) {
         return b - a;
       }) : undefined,
-      tileSize: imageOptions.tileSize,
-      attributions: imageOptions.attributions
+      tileSize: imageOptions.tileSize
     };
   }