diff --git a/js/privatebin.js b/js/privatebin.js
index 7dc8b4ef..311190e8 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -374,6 +374,31 @@ jQuery.PrivateBin = (function($, RawDeflate) {
}
};
+ /**
+ * formats the text that needs to be formatted, so DomPurify can properly escape it.
+ *
+ * @name Helper.preformatTextForDomPurify
+ * @function
+ * @param {string} html
+ * @param {'markdown'|'syntaxhighlighting'|'plaintext'} text
+ * @return {string} new text
+ */
+ me.preformatTextForDomPurify = function(text, format)
+ {
+ if (!format) {
+ throw new TypeError('invalid format parameter');
+ }
+
+ // encode < to make sure DomPurify does not interpret e.g. HTML or XML markup as code
+ // cf. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp#Summary
+ // As Markdown, by definition, is/allows HTML code, we do not do anything there.
+ if (format !== 'markdown') {
+ // one character is enough, as this is not security-relevant (all output will go through DOMPurify later)
+ text = text.replace(/
-
+
diff --git a/tpl/page.php b/tpl/page.php
index 7ffbe946..b3aaab75 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ endif;
?>
-
+