Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-05-02 06:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity

addressing jsverifyRngState 8b8f0d4ec2a67139b5, fixes HTML injection via filename, closes #554

Browse source
This commit is contained in:
El RIDO 2019-12-25 09:14:32 +01:00
parent ddaee6486d
commit 8d0ac336d2
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
5 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
js/privatebin.js
View file

@ -2795,8 +2795,12 @@ jQuery.PrivateBin = (function($, RawDeflate) {
// move elemement to new place
$attachmentLink.appendTo($element);
// update text
I18n._($attachmentLink, label, $attachmentLink.attr('download'));
// update text - ensuring no HTML is inserted into the text node
I18n._(
$attachmentLink,
$('<div />').text(label).html(),
$('<div />').text($attachmentLink.attr('download')).html()
);
};
/**