Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-05-02 22:45:10 -04:00
Code Issues Projects Releases Packages Wiki Activity

ensuring text is sanitized in all cases, before being injected into the DOM

Browse source
This commit is contained in:
El RIDO 2017-11-22 08:05:06 +01:00
parent 2d00202b42
commit 9fa2ea3373
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
3 changed files with 6 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

17
js/privatebin.js
View file

@ -1766,8 +1766,9 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
}
// set text
Helper.setElementText($plainText, text);
Helper.setElementText($prettyPrint, text);
var sanitizedText = DOMPurify.sanitize(text, {SAFE_FOR_JQUERY: true})
Helper.setElementText($plainText, sanitizedText);
Helper.setElementText($prettyPrint, sanitizedText);
switch (format) {
case 'markdown':
@ -1792,7 +1793,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
$prettyPrint.html(
prettyPrintOne(
Helper.htmlEntities(text), null, true
Helper.htmlEntities(sanitizedText), null, true
)
);
// fall through, as the rest is the same
@ -1800,16 +1801,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
// convert URLs to clickable links
Helper.urls2links($plainText);
Helper.urls2links($prettyPrint);
$plainText.html(
DOMPurify.sanitize(
$plainText.html(), {SAFE_FOR_JQUERY: true}
)
);
$prettyPrint.html(
DOMPurify.sanitize(
$prettyPrint.html(), {SAFE_FOR_JQUERY: true}
)
);
$prettyPrint.css('white-space', 'pre-wrap');
$prettyPrint.css('word-break', 'normal');