Fix source code being not rendered

If special characters were included the source code (HTML-like ones like < and >) is was not rendered.

Fixes https://github.com/PrivateBin/PrivateBin/issues/588

It includes a change in the RegEx for URLs because that was broken when a
& character later followed at any time after a link (even after a newline).
(with a negative lookahead)

Test with https://regex101.com/r/i7bZ73/1

Now the RegEx does not check for _all_ chars after a link, but just for the
one following the link.
(So the lookahead is not * anymore. I guess thsi behaviour was
the expectation when it has been implemented.)

js/privatebin.js

@@ -392,7 +392,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         me.urls2links = function(html)
         {
             return html.replace(
-                /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]*>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
+                /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
                 '<a href="$1" rel="nofollow">$1</a>'
             );
         };
@@ -2504,6 +2504,14 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 return;
             }
 
+            // encode < to make sure DomPurify does not interpret e.g. HTML or XML markup as code
+            // cf. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp#Summary
+            // As Markdown, by definition, is/allows HTML code, we do not do anything there.
+            if (format !== 'markdown') {
+                // one character is enough, as this is not security-relevant (all output will go through DOMPurify later)
+                text = text.replace(/</g, '&lt;');
+            }
+            
             // escape HTML entities, link URLs, sanitize
             const escapedLinkedText = Helper.urls2links(text),
                   sanitizedLinkedText = DOMPurify.sanitize(