reverting Helper.urls2links() method to old style, applied to element instead of string, allows inserting plain text as text node

2025-05-02 06:26:16 -04:00 · 2020-03-06 22:18:38 +01:00 · 2020-03-06 22:18:38 +01:00 · c11dc8e17e
commit c11dc8e17e
parent 8a6dcf910a
4 changed files with 51 additions and 44 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@ -281,7 +281,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
        };

        /**
-         * convert URLs to clickable links.
+         * convert URLs to clickable links in the provided element.
         *
         * URLs to handle:
         * <pre>
@ -292,14 +292,15 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         *
         * @name   Helper.urls2links
         * @function
-         * @param  {string} html
-         * @return {string}
+         * @param  {HTMLElement} element
         */
-        me.urls2links = function(html)
+        me.urls2links = function(element)
        {
-            return html.replace(
-                /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]*>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
-                '<a href="$1" rel="nofollow">$1</a>'
+            element.html(
+                element.html().replace(
+                    /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]*>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
+                    '<a href="$1" rel="nofollow">$1</a>'
+                )
            );
        };

@ -2439,11 +2440,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                // add table classes from bootstrap css
                $plainText.find('table').addClass('table-condensed table-bordered');
            } else {
-                // escape HTML entities, link URLs, sanitize
-                const escapedLinkedText = Helper.urls2links(text);
-                let sanitizeLinkedText = '',
-                    sanitizerConfiguration = {};
-
                if (format === 'syntaxhighlighting') {
                    // yes, this is really needed to initialize the environment
                    if (typeof prettyPrint === 'function')
@ -2451,22 +2447,16 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                        prettyPrint();
                    }

-                    sanitizeLinkedText = prettyPrintOne(
-                        escapedLinkedText, null, true
+                    $prettyPrint.html(
+                        prettyPrintOne(
+                            Helper.htmlEntities(text), null, true
+                        )
                    );
                } else {
                    // = 'plaintext'
-                    sanitizeLinkedText = escapedLinkedText;
-                    sanitizerConfiguration = {
-                        ALLOWED_TAGS: ['a'],
-                        ALLOWED_ATTR: ['href', 'rel']
-                    };
+                    $prettyPrint.text(text);
                }
-                $prettyPrint.html(
-                    DOMPurify.sanitize(
-                        sanitizeLinkedText, sanitizerConfiguration
-                    )
-                );
+                Helper.urls2links($prettyPrint);
                $prettyPrint.css('white-space', 'pre-wrap');
                $prettyPrint.css('word-break', 'normal');
                $prettyPrint.removeClass('prettyprint');
@ -3243,14 +3233,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
            const $commentEntryData = $commentEntry.find('div.commentdata');

            // set & parse text
-            $commentEntryData.html(
-                DOMPurify.sanitize(
-                    Helper.urls2links(commentText), {
-                        ALLOWED_TAGS: ['a'],
-                        ALLOWED_ATTR: ['href', 'rel']
-                    }
-                )
-            );
+            $commentEntryData.text(commentText);
+            Helper.urls2links($commentEntryData);

            // set nickname
            if (nickname.length > 0) {