mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2025-01-27 14:57:17 -05:00
Fix source code escaping in comments
Also fix comments.
This commit is contained in:
parent
005d223c0d
commit
294b8804a4
@ -374,6 +374,31 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* formats the text that needs to be formatted, so DomPurify can properly escape it.
|
||||||
|
*
|
||||||
|
* @name Helper.preformatTextForDomPurify
|
||||||
|
* @function
|
||||||
|
* @param {string} html
|
||||||
|
* @param {'markdown'|'syntaxhighlighting'|'plaintext'} text
|
||||||
|
* @return {string} new text
|
||||||
|
*/
|
||||||
|
me.preformatTextForDomPurify = function(text, format)
|
||||||
|
{
|
||||||
|
if (!format) {
|
||||||
|
throw new TypeError('invalid format parameter');
|
||||||
|
}
|
||||||
|
|
||||||
|
// encode < to make sure DomPurify does not interpret e.g. HTML or XML markup as code
|
||||||
|
// cf. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp#Summary
|
||||||
|
// As Markdown, by definition, is/allows HTML code, we do not do anything there.
|
||||||
|
if (format !== 'markdown') {
|
||||||
|
// one character is enough, as this is not security-relevant (all output will go through DOMPurify later)
|
||||||
|
text = text.replace(/</g, '<');
|
||||||
|
}
|
||||||
|
return text;
|
||||||
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* convert URLs to clickable links.
|
* convert URLs to clickable links.
|
||||||
*
|
*
|
||||||
@ -2504,13 +2529,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// encode < to make sure DomPurify does not interpret e.g. HTML or XML markup as code
|
text = Helper.preformatTextForDomPurify(text, format);
|
||||||
// cf. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp#Summary
|
|
||||||
// As Markdown, by definition, is/allows HTML code, we do not do anything there.
|
|
||||||
if (format !== 'markdown') {
|
|
||||||
// one character is enough, as this is not security-relevant (all output will go through DOMPurify later)
|
|
||||||
text = text.replace(/</g, '<');
|
|
||||||
}
|
|
||||||
|
|
||||||
// escape HTML entities, link URLs, sanitize
|
// escape HTML entities, link URLs, sanitize
|
||||||
const escapedLinkedText = Helper.urls2links(text),
|
const escapedLinkedText = Helper.urls2links(text),
|
||||||
@ -3321,7 +3340,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
|||||||
*/
|
*/
|
||||||
me.addComment = function(comment, commentText, nickname)
|
me.addComment = function(comment, commentText, nickname)
|
||||||
{
|
{
|
||||||
if (commentText === '') {
|
if (!commentText) {
|
||||||
commentText = 'comment decryption failed';
|
commentText = 'comment decryption failed';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3331,6 +3350,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
|||||||
const $commentEntryData = $commentEntry.find('div.commentdata');
|
const $commentEntryData = $commentEntry.find('div.commentdata');
|
||||||
|
|
||||||
// set & parse text
|
// set & parse text
|
||||||
|
commentText = Helper.preformatTextForDomPurify(commentText, 'plaintext');
|
||||||
$commentEntryData.html(
|
$commentEntryData.html(
|
||||||
DOMPurify.sanitize(
|
DOMPurify.sanitize(
|
||||||
Helper.urls2links(commentText), {
|
Helper.urls2links(commentText), {
|
||||||
|
@ -72,7 +72,7 @@ endif;
|
|||||||
?>
|
?>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-x2Kev3A7fqc/QKCzRHoJ7qCiglgxXtY8WDUMPOUBI6jVueqRkRMGjP1IqD9iUWVuND81ckCCS27Br5M11tw0IA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-x2Kev3A7fqc/QKCzRHoJ7qCiglgxXtY8WDUMPOUBI6jVueqRkRMGjP1IqD9iUWVuND81ckCCS27Br5M11tw0IA==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3L/E22cdC3wDFXKM1i32bw4HdrfX14du2xswUKanOY6CLrD+e0hykmLvES+zfBKF1GFQFKr3OmdCVH2y+zHlsA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3L/E22cdC3wDFXKM1i32bw4HdrfX14du2xswUKanOY6CLrD+e0hykmLvES+zfBKF1GFQFKr3OmdCVH2y+zHlsA==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Gt+x+QenVjex80M6AXnrJIOqVV19nV+s8P9T9K68+vyvFGW/Fx34viKK8zzu1ME2GYctsJlNB4I1x75P095ZQ==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5l2RuILQ59Go14jKwavtCpGEnUhzIkYyLF1ctlOaYxD5HVuBg4IAj5svkFQ4rirruhw88REZ6swax3CuLHeftg==" crossorigin="anonymous"></script>
|
||||||
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
||||||
|
@ -50,7 +50,7 @@ endif;
|
|||||||
?>
|
?>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-x2Kev3A7fqc/QKCzRHoJ7qCiglgxXtY8WDUMPOUBI6jVueqRkRMGjP1IqD9iUWVuND81ckCCS27Br5M11tw0IA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-x2Kev3A7fqc/QKCzRHoJ7qCiglgxXtY8WDUMPOUBI6jVueqRkRMGjP1IqD9iUWVuND81ckCCS27Br5M11tw0IA==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3L/E22cdC3wDFXKM1i32bw4HdrfX14du2xswUKanOY6CLrD+e0hykmLvES+zfBKF1GFQFKr3OmdCVH2y+zHlsA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3L/E22cdC3wDFXKM1i32bw4HdrfX14du2xswUKanOY6CLrD+e0hykmLvES+zfBKF1GFQFKr3OmdCVH2y+zHlsA==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Gt+x+QenVjex80M6AXnrJIOqVV19nV+s8P9T9K68+vyvFGW/Fx34viKK8zzu1ME2GYctsJlNB4I1x75P095ZQ==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5l2RuILQ59Go14jKwavtCpGEnUhzIkYyLF1ctlOaYxD5HVuBg4IAj5svkFQ4rirruhw88REZ6swax3CuLHeftg==" crossorigin="anonymous"></script>
|
||||||
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
||||||
|
Loading…
x
Reference in New Issue
Block a user