Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-05-02 06:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity

Invert conatainsLink logic

Browse source
This commit is contained in:
rugk 2020-01-15 17:52:51 +01:00
parent ebc2d649c4
commit eb549d70d1
No known key found for this signature in database
GPG key ID: 05D40A636AFAB34D
3 changed files with 7 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

14
js/privatebin.js
View file

@ -453,11 +453,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
* @return string escaped HTML
*/
me.htmlEntities = function(str) {
// using textarea, since other tags may allow and execute scripts, even when detached from DOM
let holder = document.createElement('textarea');
holder.textContent = str;
// as per OWASP recommendation, also encoding quotes and slash
return holder.innerHTML.replace(
return str.replace(
/["'\/]/g,
function(s) {
return {
@ -629,10 +625,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
// if $element is given, apply text to element
if ($element !== null) {
if (!containsLinks) {
// avoid HTML entity encoding if translation contains links
$element.text(output);
} else {
if (containsLinks) {
// only allow tags/attributes we actually use in our translations
$element.html(
DOMPurify.sanitize(output, {
@ -640,6 +633,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
ALLOWED_ATTR: ['href', 'id']
})
);
} else {
// avoid HTML entity encoding if translation contains no links
$element.text(output);
}
}