Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-05-02 06:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity

[TEST] Try to disallow vulnerable cases

Browse source
This commit is contained in:
rugk 2020-01-13 19:56:15 +01:00
parent 01414e43ca
commit ebc2d649c4
No known key found for this signature in database
GPG key ID: 05D40A636AFAB34D
4 changed files with 45 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
js/privatebin.js
View file

@ -620,6 +620,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
// messageID may contain links, but only the first parameter, as that is from a trusted source (code or translation JSON files)
let containsLinks = args[0].indexOf('<a') !== -1;
if (containsLinks && args.length > 0) {
throw new Error('security violation detected: do not concatenate links and untrusted data!');
}
// format string
let output = Helper.sprintf.apply(this, args);