From 8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 25 Dec 2019 09:14:32 +0100 Subject: [PATCH] addressing jsverifyRngState 8b8f0d4ec2a67139b5, fixes HTML injection via filename, closes #554 --- CHANGELOG.md | 1 + js/privatebin.js | 8 ++++++-- js/test/AttachmentViewer.js | 4 ++-- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18d6bf3..c5f49c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * ADDED: Translation for Ukrainian (#533) * ADDED: Option to send a mail with the link, when creating a paste (#398) * ADDED: Add support for CONFIG_PATH environment variable (#552) + * FIXED: HTML injection via unescaped attachment filename (#554) * FIXED: Password disabling option (#527) * **1.3.1 (2019-09-22)** * ADDED: Translation for Bulgarian (#455) diff --git a/js/privatebin.js b/js/privatebin.js index eea8767..dc7adef 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -2795,8 +2795,12 @@ jQuery.PrivateBin = (function($, RawDeflate) { // move elemement to new place $attachmentLink.appendTo($element); - // update text - I18n._($attachmentLink, label, $attachmentLink.attr('download')); + // update text - ensuring no HTML is inserted into the text node + I18n._( + $attachmentLink, + $('
').text(label).html(), + $('
').text($attachmentLink.attr('download')).html() + ); }; /** diff --git a/js/test/AttachmentViewer.js b/js/test/AttachmentViewer.js index 438b2f8..e891deb 100644 --- a/js/test/AttachmentViewer.js +++ b/js/test/AttachmentViewer.js @@ -25,7 +25,7 @@ describe('AttachmentViewer', function () { mimeType.match(/\/pdf/i) ), results = []; - prefix = prefix.replace(/%(s|d)/g, '%%'); + prefix = prefix.replace(/%(s|d)/g, '%%'); postfix = postfix.replace(/%(s|d)/g, '%%'); $('body').html( '