[Coordinate map] Sanitize WMS attribution (#52309)

Sanitize the WMS-attribution input before displaying it in the leaflet-attribution control.

src/legacy/ui/public/vis/__tests__/map/kibana_map.js

@@ -251,7 +251,6 @@ describe('kibana_map tests', function () {
       kibanaMap.removeLayer(layer);
       expect(domNode.querySelectorAll('.leaflet-control-attribution')[0].innerHTML).to.equal('foo, bar');
 
-
     });
 
   });
@@ -320,6 +319,29 @@ describe('kibana_map tests', function () {
 
     });
 
+    it('WMS - should clean attribution', async function () {
+
+      const options = {
+        url: 'https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer',
+        version: '1.1.0',
+        layers: '0',
+        format: 'image/png',
+        transparent: true,
+        attribution: '<div>foobar</div>',
+        styles: '',
+        minZoom: 1,
+        maxZoom: 18
+      };
+
+      kibanaMap.setBaseLayer({
+        baseLayerType: 'wms',
+        options: options
+      });
+
+      expect(domNode.querySelectorAll('.leaflet-control-attribution')[0].innerHTML).to.equal('&lt;div&gt;foobar&lt;/div&gt;');
+
+    });
+
   });
 
 

src/legacy/ui/public/vis/map/kibana_map.js

@@ -564,6 +564,8 @@ export class KibanaMap extends EventEmitter {
 
     let baseLayer;
     if (settings.baseLayerType === 'wms') {
+      //This is user-input that is rendered with the Leaflet attribution control. Needs to be sanitized.
+      this._baseLayerSettings.options.attribution = _.escape(settings.options.attribution);
       baseLayer = this._getWMSBaseLayer(settings.options);
     } else if (settings.baseLayerType === 'tms') {
       baseLayer = this._getTMSBaseLayer((settings.options));