ensuring text is sanitized in all cases, before being injected into the DOM
This commit is contained in:
parent
2d00202b42
commit
9fa2ea3373
3 changed files with 6 additions and 15 deletions
|
@ -1766,8 +1766,9 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// set text
|
// set text
|
||||||
Helper.setElementText($plainText, text);
|
var sanitizedText = DOMPurify.sanitize(text, {SAFE_FOR_JQUERY: true})
|
||||||
Helper.setElementText($prettyPrint, text);
|
Helper.setElementText($plainText, sanitizedText);
|
||||||
|
Helper.setElementText($prettyPrint, sanitizedText);
|
||||||
|
|
||||||
switch (format) {
|
switch (format) {
|
||||||
case 'markdown':
|
case 'markdown':
|
||||||
|
@ -1792,7 +1793,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
|
|
||||||
$prettyPrint.html(
|
$prettyPrint.html(
|
||||||
prettyPrintOne(
|
prettyPrintOne(
|
||||||
Helper.htmlEntities(text), null, true
|
Helper.htmlEntities(sanitizedText), null, true
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
// fall through, as the rest is the same
|
// fall through, as the rest is the same
|
||||||
|
@ -1800,16 +1801,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
// convert URLs to clickable links
|
// convert URLs to clickable links
|
||||||
Helper.urls2links($plainText);
|
Helper.urls2links($plainText);
|
||||||
Helper.urls2links($prettyPrint);
|
Helper.urls2links($prettyPrint);
|
||||||
$plainText.html(
|
|
||||||
DOMPurify.sanitize(
|
|
||||||
$plainText.html(), {SAFE_FOR_JQUERY: true}
|
|
||||||
)
|
|
||||||
);
|
|
||||||
$prettyPrint.html(
|
|
||||||
DOMPurify.sanitize(
|
|
||||||
$prettyPrint.html(), {SAFE_FOR_JQUERY: true}
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
$prettyPrint.css('white-space', 'pre-wrap');
|
$prettyPrint.css('white-space', 'pre-wrap');
|
||||||
$prettyPrint.css('word-break', 'normal');
|
$prettyPrint.css('word-break', 'normal');
|
||||||
|
|
|
@ -70,7 +70,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-VEBWEPLKeJ5Lv0T67Nal1g4NxeoOf2nlE20rF3uOq8fpBb/bKLR9wPxcl8mTjEiA+GAEQv0s4Fh5iT8wee1Nbw==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-asPypLWIpl03jZzFSOTfUuLsZ+DHVBrcGU0f9LeJrN/T33Al9q2+qt7V8nm6Ji88rUvYvnTp2/KgNgOSRJcQPw==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
@ -48,7 +48,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-VEBWEPLKeJ5Lv0T67Nal1g4NxeoOf2nlE20rF3uOq8fpBb/bKLR9wPxcl8mTjEiA+GAEQv0s4Fh5iT8wee1Nbw==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-asPypLWIpl03jZzFSOTfUuLsZ+DHVBrcGU0f9LeJrN/T33Al9q2+qt7V8nm6Ji88rUvYvnTp2/KgNgOSRJcQPw==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
Loading…
Reference in a new issue