Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-08-14 01:05:47 -04:00
Code Issues Projects Releases Packages Wiki Activity

updating DOMPurify library, simplifying its use, ensuring HTML entities get escaped before formatting paste - regression introduced in #258, reported in #269

Browse source
This commit is contained in:
El RIDO 2018-01-01 10:25:07 +01:00
parent 6093f0cc9c
commit bb54d46c7e
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
6 changed files with 16 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

17
js/privatebin.js
View file

@ -1700,7 +1700,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
}
// set sanitized and linked text
var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text), {SAFE_FOR_JQUERY: true});
var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text));
$plainText.html(sanitizedLinkedText);
$prettyPrint.html(sanitizedLinkedText);
@ -1713,7 +1713,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
});
// let showdown convert the HTML and sanitize HTML *afterwards*!
$plainText.html(
DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true})
DOMPurify.sanitize(converter.makeHtml(text))
);
// add table classes from bootstrap css
$plainText.find('table').addClass('table-condensed table-bordered');
@ -1727,8 +1727,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
$prettyPrint.html(
DOMPurify.sanitize(
prettyPrintOne(Helper.urls2links(text), null, true),
{SAFE_FOR_JQUERY: true}
prettyPrintOne(Helper.urls2links(text), null, true)
)
);
// fall through, as the rest is the same
@ -1824,6 +1823,8 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
*/
me.setText = function(newText)
{
// escape HTML entities
newText = $('<div />').text(newText).html();
if (text !== newText) {
text = newText;
isChanged = true;
@ -2223,8 +2224,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
// set & parse text
$commentEntryData.html(
DOMPurify.sanitize(
Helper.urls2links(commentText),
{SAFE_FOR_JQUERY: true}
Helper.urls2links(commentText)
)
);
@ -2529,7 +2529,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
for (var i = 0; i < $head.length; i++) {
newDoc.write($head[i].outerHTML);
}
newDoc.write('</head><body><pre>' + DOMPurify.sanitize(paste, {SAFE_FOR_JQUERY: true}) + '</pre></body></html>');
newDoc.write('</head><body><pre>' + DOMPurify.sanitize(paste) + '</pre></body></html>');
newDoc.close();
}
@ -3939,10 +3939,11 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
// first load translations
I18n.loadTranslations();
DOMPurify.setConfig({SAFE_FOR_JQUERY: true});
// initialize other modules/"classes"
Alert.init();
Model.init();
AttachmentViewer.init();
DiscussionViewer.init();
Editor.init();

1
js/purify-1.0.3.js Normal file
View file

File diff suppressed because one or more lines are too long

2
js/purify.min.js vendored
View file

File diff suppressed because one or more lines are too long

4
js/test.js
View file

@ -42,7 +42,7 @@ require('./prettify');
global.prettyPrint = window.PR.prettyPrint;
global.prettyPrintOne = window.PR.prettyPrintOne;
global.showdown = require('./showdown-1.6.1');
global.DOMPurify = require('./purify.min');
global.DOMPurify = require('./purify-1.0.3');
require('./bootstrap-3.3.7');
require('./privatebin');
@ -1422,7 +1422,7 @@ describe('PasteViewer', function () {
results.push(
$('#placeholder').hasClass('hidden') &&
!$.PrivateBin.PasteViewer.isPrettyPrinted() &&
$.PrivateBin.PasteViewer.getText() == text
$.PrivateBin.PasteViewer.getText() == $('<div />').text(text).html()
);
if (format == 'markdown') {
results.push(