From 5f0011b0f6ffc036041873daf50a08089e648bc4 Mon Sep 17 00:00:00 2001
From: Haocen Xu <admin@haocen.me>
Date: Sat, 30 May 2020 06:05:20 -0400
Subject: [PATCH] Sanitize output from Helper.urls2links

---
 js/privatebin.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 2926577..b9f25b9 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -405,9 +405,11 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         me.urls2links = function(element)
         {
             element.html(
-                element.html().replace(
-                    /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
-                    '<a href="$1" rel="nofollow">$1</a>'
+                DOMPurify.sanitize(
+                    element.html().replace(
+                        /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
+                        '<a href="$1" rel="nofollow">$1</a>'
+                    )
                 )
             );
         };