diff --git a/js/privatebin.js b/js/privatebin.js index 7dc8b4ef..311190e8 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -374,6 +374,31 @@ jQuery.PrivateBin = (function($, RawDeflate) { } }; + /** + * formats the text that needs to be formatted, so DomPurify can properly escape it. + * + * @name Helper.preformatTextForDomPurify + * @function + * @param {string} html + * @param {'markdown'|'syntaxhighlighting'|'plaintext'} text + * @return {string} new text + */ + me.preformatTextForDomPurify = function(text, format) + { + if (!format) { + throw new TypeError('invalid format parameter'); + } + + // encode < to make sure DomPurify does not interpret e.g. HTML or XML markup as code + // cf. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp#Summary + // As Markdown, by definition, is/allows HTML code, we do not do anything there. + if (format !== 'markdown') { + // one character is enough, as this is not security-relevant (all output will go through DOMPurify later) + text = text.replace(/ - + diff --git a/tpl/page.php b/tpl/page.php index 7ffbe946..b3aaab75 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -50,7 +50,7 @@ endif; ?> - +