Revert "getting rid of htmlEntities (except for tests)" a0740ff79f

2025-05-02 14:36:08 -04:00 · 2020-01-18 07:30:01 +01:00 · 2020-01-18 07:30:01 +01:00 · 0d08edbe55
commit 0d08edbe55
parent cec5cb41d7
3 changed files with 38 additions and 2 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@ -189,6 +189,26 @@ jQuery.PrivateBin = (function($, RawDeflate) {
    const Helper = (function () {
        const me = {};

+        /**
+         * character to HTML entity lookup table
+         *
+         * @see    {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60}
+         * @name Helper.entityMap
+         * @private
+         * @enum   {Object}
+         * @readonly
+         */
+        var entityMap = {
+            '&': '&amp;',
+            '<': '&lt;',
+            '>': '&gt;',
+            '"': '&quot;',
+            "'": '&#39;',
+            '/': '&#x2F;',
+            '`': '&#x60;',
+            '=': '&#x3D;'
+        };
+
        /**
         * cache for script location
         *
@ -392,6 +412,22 @@ jQuery.PrivateBin = (function($, RawDeflate) {
            return new Comment(data);
        };

+        /**
+         * convert all applicable characters to HTML entities
+         *
+         * @see    {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content}
+         * @name   Helper.htmlEntities
+         * @function
+         * @param  {string} str
+         * @return {string} escaped HTML
+         */
+        me.htmlEntities = function(str) {
+            return String(str).replace(
+                /[&<>"'`=\/]/g, function(s) {
+                    return entityMap[s];
+                });
+        }
+
        /**
         * resets state, used for unit testing
         *