chalec
/
ctrlv-privatebin
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'preview-encoding'

This commit is contained in:
El RIDO 2020-03-21 15:59:25 +01:00
parent 33bb0c6bd6 71c76adac4
commit 7abfe56910
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
4 changed files with 73 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
js/privatebin.js
View File

@ -375,7 +375,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
}; };
/** /**
* convert URLs to clickable links. * convert URLs to clickable links in the provided element.
* *
* URLs to handle: * URLs to handle:
* <pre> * <pre>
@ -386,14 +386,15 @@ jQuery.PrivateBin = (function($, RawDeflate) {
* *
* @name Helper.urls2links * @name Helper.urls2links
* @function * @function
* @param {string} html * @param {HTMLElement} element
* @return {string}
*/ */
me.urls2links = function(html) me.urls2links = function(element)
{ {
return html.replace( element.html(
/(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]*>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig, element.html().replace(
'<a href="$1" rel="nofollow">$1</a>' /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
'<a href="$1" rel="nofollow">$1</a>'
)
); );
}; };
@ -2504,36 +2505,24 @@ jQuery.PrivateBin = (function($, RawDeflate) {
return; return;
} }
// escape HTML entities, link URLs, sanitize if (format === 'markdown') {
const escapedLinkedText = Helper.urls2links(text), const converter = new showdown.Converter({
sanitizedLinkedText = DOMPurify.sanitize( strikethrough: true,
escapedLinkedText, { tables: true,
ALLOWED_TAGS: ['a'], tablesHeaderId: true,
ALLOWED_ATTR: ['href', 'rel'] simplifiedAutoLink: true,
} excludeTrailingPunctuationFromURLs: true
); });
$plainText.html(sanitizedLinkedText); // let showdown convert the HTML and sanitize HTML *afterwards*!
$prettyPrint.html(sanitizedLinkedText); $plainText.html(
DOMPurify.sanitize(
switch (format) { converter.makeHtml(text)
case 'markdown': )
const converter = new showdown.Converter({ );
strikethrough: true, // add table classes from bootstrap css
tables: true, $plainText.find('table').addClass('table-condensed table-bordered');
tablesHeaderId: true, } else {
simplifiedAutoLink: true, if (format === 'syntaxhighlighting') {
excludeTrailingPunctuationFromURLs: true
});
// let showdown convert the HTML and sanitize HTML *afterwards*!
$plainText.html(
DOMPurify.sanitize(
converter.makeHtml(text)
)
);
// add table classes from bootstrap css
$plainText.find('table').addClass('table-condensed table-bordered');
break;
case 'syntaxhighlighting':
// yes, this is really needed to initialize the environment // yes, this is really needed to initialize the environment
if (typeof prettyPrint === 'function') if (typeof prettyPrint === 'function')
{ {
@ -2541,15 +2530,18 @@ jQuery.PrivateBin = (function($, RawDeflate) {
} }
$prettyPrint.html( $prettyPrint.html(
DOMPurify.sanitize( prettyPrintOne(
prettyPrintOne(escapedLinkedText, null, true) Helper.htmlEntities(text), null, true
) )
); );
// fall through, as the rest is the same } else {
default: // = 'plaintext' // = 'plaintext'
$prettyPrint.css('white-space', 'pre-wrap'); $prettyPrint.text(text);
$prettyPrint.css('word-break', 'normal'); }
$prettyPrint.removeClass('prettyprint'); Helper.urls2links($prettyPrint);
$prettyPrint.css('white-space', 'pre-wrap');
$prettyPrint.css('word-break', 'normal');
$prettyPrint.removeClass('prettyprint');
} }
} }
@ -3323,14 +3315,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
const $commentEntryData = $commentEntry.find('div.commentdata'); const $commentEntryData = $commentEntry.find('div.commentdata');
// set & parse text // set & parse text
$commentEntryData.html( $commentEntryData.text(commentText);
DOMPurify.sanitize( Helper.urls2links($commentEntryData);
Helper.urls2links(commentText), {
ALLOWED_TAGS: ['a'],
ALLOWED_ATTR: ['href', 'rel']
}
)
);
// set nickname // set nickname
if (nickname.length > 0) { if (nickname.length > 0) {

43
js/test/Helper.js
View File

@ -81,7 +81,15 @@ describe('Helper', function () {
'ignores non-URL content', 'ignores non-URL content',
'string', 'string',
function (content) { function (content) {
return content === $.PrivateBin.Helper.urls2links(content); content = content.replace(/\r/g, '\n').replace(/\u0000/g, '');
let clean = jsdom();
$('body').html('<div id="foo"></div>');
let e = $('#foo');
e.text(content);
$.PrivateBin.Helper.urls2links(e);
let result = e.text();
clean();
return content === result;
} }
); );
jsc.property( jsc.property(
@ -95,9 +103,12 @@ describe('Helper', function () {
function (prefix, schema, address, query, fragment, postfix) { function (prefix, schema, address, query, fragment, postfix) {
query = query.join(''); query = query.join('');
fragment = fragment.join(''); fragment = fragment.join('');
prefix = $.PrivateBin.Helper.htmlEntities(prefix); prefix = prefix.replace(/\r/g, '\n').replace(/\u0000/g, '');
postfix = ' ' + $.PrivateBin.Helper.htmlEntities(postfix); postfix = ' ' + postfix.replace(/\r/g, '\n').replace(/\u0000/g, '');
let url = schema + '://' + address.join('') + '/?' + query + '#' + fragment; let url = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
clean = jsdom();
$('body').html('<div id="foo"></div>');
let e = $('#foo');
// special cases: When the query string and fragment imply the beginning of an HTML entity, eg. &#0 or &#x // special cases: When the query string and fragment imply the beginning of an HTML entity, eg. &#0 or &#x
if ( if (
@ -108,8 +119,12 @@ describe('Helper', function () {
url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1); url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1);
postfix = ''; postfix = '';
} }
e.text(prefix + url + postfix);
return prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + postfix === $.PrivateBin.Helper.urls2links(prefix + url + postfix); $.PrivateBin.Helper.urls2links(e);
let result = e.html();
clean();
url = $('<div />').text(url).html();
return $('<div />').text(prefix).html() + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + $('<div />').text(postfix).html() === result;
} }
); );
jsc.property( jsc.property(
@ -118,10 +133,18 @@ describe('Helper', function () {
jsc.array(common.jscQueryString()), jsc.array(common.jscQueryString()),
'string', 'string',
function (prefix, query, postfix) { function (prefix, query, postfix) {
prefix = $.PrivateBin.Helper.htmlEntities(prefix); prefix = prefix.replace(/\r/g, '\n').replace(/\u0000/g, '');
postfix = $.PrivateBin.Helper.htmlEntities(postfix); postfix = ' ' + postfix.replace(/\r/g, '\n').replace(/\u0000/g, '');
let url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''); let url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
return prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix === $.PrivateBin.Helper.urls2links(prefix + url + ' ' + postfix); clean = jsdom();
$('body').html('<div id="foo"></div>');
let e = $('#foo');
e.text(prefix + url + postfix);
$.PrivateBin.Helper.urls2links(e);
let result = e.html();
clean();
url = $('<div />').text(url).html();
return $('<div />').text(prefix).html() + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + $('<div />').text(postfix).html() === result;
} }
); );
}); });

2
tpl/bootstrap.php
View File

@ -72,7 +72,7 @@ endif;
?> ?>
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-QwcEKGuEmKtMguCO9pqNtUtZqq9b/tJ8gNr5qhY8hykq3zKTlDOvpZAmf6Rs8yH35Bz1ZdctUjj2qEWxT5aXCg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-QwcEKGuEmKtMguCO9pqNtUtZqq9b/tJ8gNr5qhY8hykq3zKTlDOvpZAmf6Rs8yH35Bz1ZdctUjj2qEWxT5aXCg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5GFThJ8KstWT1bNvB5JTAAXA+5QCNDv21foF7hSNoAc0oOxrHiUCP1ZlZs9zk4SbdIsmTSGL12Ecdj5CRISYxg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-QxNK2redCFTgf0W/sniAeqIiX4LOSrqONVTEgt1pQOMgbItohHiV/gx0EV/36Wz+pTtDsqiP2GIvQp+C4ki8Pg==" crossorigin="anonymous"></script>
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" /> <link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" /> <link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" /> <link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />

2
tpl/page.php
View File

@ -50,7 +50,7 @@ endif;
?> ?>
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-QwcEKGuEmKtMguCO9pqNtUtZqq9b/tJ8gNr5qhY8hykq3zKTlDOvpZAmf6Rs8yH35Bz1ZdctUjj2qEWxT5aXCg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-QwcEKGuEmKtMguCO9pqNtUtZqq9b/tJ8gNr5qhY8hykq3zKTlDOvpZAmf6Rs8yH35Bz1ZdctUjj2qEWxT5aXCg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5GFThJ8KstWT1bNvB5JTAAXA+5QCNDv21foF7hSNoAc0oOxrHiUCP1ZlZs9zk4SbdIsmTSGL12Ecdj5CRISYxg==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-QxNK2redCFTgf0W/sniAeqIiX4LOSrqONVTEgt1pQOMgbItohHiV/gx0EV/36Wz+pTtDsqiP2GIvQp+C4ki8Pg==" crossorigin="anonymous"></script>
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" /> <link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" /> <link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" /> <link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />