applying HTML entity cleanup to raw paste, too, fixing #137
This commit is contained in:
parent
97cbcb0aab
commit
1badd5e542
|
@ -6,6 +6,7 @@
|
||||||
* CHANGED: Using modal dialog to request password input instead of native JS input window (#69)
|
* CHANGED: Using modal dialog to request password input instead of native JS input window (#69)
|
||||||
* CHANGED: Suppressed referrer HTTP header sending when following links in a paste or comment (#96) and added additional HTTP headers for XSS mitigation (#91)
|
* CHANGED: Suppressed referrer HTTP header sending when following links in a paste or comment (#96) and added additional HTTP headers for XSS mitigation (#91)
|
||||||
* CHANGED: Updated random_compat and jQuery libraries
|
* CHANGED: Updated random_compat and jQuery libraries
|
||||||
|
* FIXED: XSS using JavaScript stored as markdown formatted paste, after clicking on Raw paste button (#137)
|
||||||
* FIXED: Automatic purging deleting non-expiring pastes, when using database store (#149)
|
* FIXED: Automatic purging deleting non-expiring pastes, when using database store (#149)
|
||||||
* **1.0 (2016-08-25)**
|
* **1.0 (2016-08-25)**
|
||||||
* ADDED: Translations for Slowene and Chinese
|
* ADDED: Translations for Slowene and Chinese
|
||||||
|
|
|
@ -295,6 +295,7 @@ $(function() {
|
||||||
/**
|
/**
|
||||||
* Convert all applicable characters to HTML entities.
|
* Convert all applicable characters to HTML entities.
|
||||||
* From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60
|
* From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60
|
||||||
|
* Also: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
|
||||||
*
|
*
|
||||||
* @param string str
|
* @param string str
|
||||||
* @return string escaped HTML
|
* @return string escaped HTML
|
||||||
|
@ -1279,7 +1280,7 @@ $(function() {
|
||||||
// we use text/html instead of text/plain to avoid a bug when
|
// we use text/html instead of text/plain to avoid a bug when
|
||||||
// reloading the raw text view (it reverts to type text/html)
|
// reloading the raw text view (it reverts to type text/html)
|
||||||
var newDoc = document.open('text/html', 'replace');
|
var newDoc = document.open('text/html', 'replace');
|
||||||
newDoc.write('<pre>' + paste + '</pre>');
|
newDoc.write('<pre>' + helper.htmlEntities(paste) + '</pre>');
|
||||||
newDoc.close();
|
newDoc.close();
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -52,7 +52,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
@ -52,7 +52,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
@ -53,7 +53,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
@ -52,7 +52,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
@ -53,7 +53,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
@ -47,7 +47,7 @@ if ($MARKDOWN):
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
Loading…
Reference in New Issue