Try to move sanitisation & links into setElementText
This commit is contained in:
parent
3d2dbabaec
commit
8d2e19f791
141
js/privatebin.js
141
js/privatebin.js
|
@ -43,26 +43,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
var Helper = (function () {
|
var Helper = (function () {
|
||||||
var me = {};
|
var me = {};
|
||||||
|
|
||||||
/**
|
|
||||||
* character to HTML entity lookup table
|
|
||||||
*
|
|
||||||
* @see {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60}
|
|
||||||
* @name Helper.entityMap
|
|
||||||
* @private
|
|
||||||
* @enum {Object}
|
|
||||||
* @readonly
|
|
||||||
*/
|
|
||||||
var entityMap = {
|
|
||||||
'&': '&',
|
|
||||||
'<': '<',
|
|
||||||
'>': '>',
|
|
||||||
'"': '"',
|
|
||||||
"'": ''',
|
|
||||||
'/': '/',
|
|
||||||
'`': '`',
|
|
||||||
'=': '='
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* cache for script location
|
* cache for script location
|
||||||
*
|
*
|
||||||
|
@ -72,6 +52,36 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
*/
|
*/
|
||||||
var baseUri = null;
|
var baseUri = null;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* convert URLs to clickable links.
|
||||||
|
* URLs to handle:
|
||||||
|
* <pre>
|
||||||
|
* magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7
|
||||||
|
* http://example.com:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
|
||||||
|
* http://user:example.com@localhost:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
|
||||||
|
* </pre>
|
||||||
|
* Attention: Does *not* sanitize HTML code! It is strongly advised to sanitize it after running this function.
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* @name Helper.urls2links
|
||||||
|
* @function
|
||||||
|
* @param {String} html - HTML code
|
||||||
|
*/
|
||||||
|
urls2links = function(html)
|
||||||
|
{
|
||||||
|
var markup = '<a href="$1" rel="nofollow">$1</a>';
|
||||||
|
// short test: https://regex101.com/r/AttfVd/1
|
||||||
|
html.replace(
|
||||||
|
/((http|https|ftp):\/\/[\w?=&.\/-;#@~%+*-]+(?![\w\s?&.\/;#~%"=-]*>))/ig,
|
||||||
|
markup
|
||||||
|
)
|
||||||
|
// shorttest: https://regex101.com/r/sCm8Xe/2
|
||||||
|
html.replace(
|
||||||
|
/((magnet):[\w?=&.\/-;#@~%+*-]+)/ig,
|
||||||
|
markup
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* converts a duration (in seconds) into human friendly approximation
|
* converts a duration (in seconds) into human friendly approximation
|
||||||
*
|
*
|
||||||
|
@ -135,55 +145,38 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* set text of a jQuery element (required for IE),
|
* set text of a jQuery element (required for IE)
|
||||||
*
|
*
|
||||||
* @name Helper.setElementText
|
* @name Helper.setElementText
|
||||||
* @function
|
* @function
|
||||||
* @param {jQuery} $element - a jQuery element
|
* @param {jQuery} $element - a jQuery element
|
||||||
* @param {string} text - the text to enter
|
* @param {string} text - the text to enter
|
||||||
|
* @param {bool} convertLinks - whether to convert the links in the text
|
||||||
*/
|
*/
|
||||||
me.setElementText = function($element, text)
|
me.setElementText = function($element, text, convertLinks)
|
||||||
{
|
{
|
||||||
// For IE<10: Doesn't support white-space:pre-wrap; so we have to do this...
|
var isIe = $('#oldienotice').is(':visible');
|
||||||
if ($('#oldienotice').is(':visible')) {
|
// text-only and no IE -> fast way: set text-only
|
||||||
var html = me.htmlEntities(text).replace(/\n/ig, '\r\n<br>');
|
if ((convertLinks === false) && isIe === false) {
|
||||||
$element.html('<pre>' + html + '</pre>');
|
return $element.text(text);
|
||||||
}
|
}
|
||||||
// for other (sane) browsers:
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$element.text(text);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
// convert text to plain-text
|
||||||
* convert URLs to clickable links.
|
// but as we need to handle HTML code afterwards
|
||||||
* URLs to handle:
|
var html = $(text).text();
|
||||||
* <pre>
|
|
||||||
* magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7
|
if (convertLinks === true) {
|
||||||
* http://example.com:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
|
html = me.urls2links(html);
|
||||||
* http://user:example.com@localhost:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
|
}
|
||||||
* </pre>
|
|
||||||
*
|
// workaround: IE<10 doesn't support white-space:pre-wrap; so we have to do this...
|
||||||
* @name Helper.urls2links
|
if (isIe) {
|
||||||
* @function
|
html = html.replace(/\n/ig, '\r\n<br>');
|
||||||
* @param {Object} $element - a jQuery DOM element
|
}
|
||||||
*/
|
|
||||||
me.urls2links = function($element)
|
// finally sanitize it for security (XSS) reasons
|
||||||
{
|
html = me.sanitizeHtml(text);
|
||||||
var markup = '<a href="$1" rel="nofollow">$1</a>';
|
$element.html(html);
|
||||||
$element.html(
|
|
||||||
$element.html().replace(
|
|
||||||
/((http|https|ftp):\/\/[\w?=&.\/-;#@~%+*-]+(?![\w\s?&.\/;#~%"=-]*>))/ig,
|
|
||||||
markup
|
|
||||||
)
|
|
||||||
);
|
|
||||||
$element.html(
|
|
||||||
$element.html().replace(
|
|
||||||
/((magnet):[\w?=&.\/-;#@~%+*-]+)/ig,
|
|
||||||
markup
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -270,19 +263,17 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* convert all applicable characters to HTML entities
|
* sanitizes html code to prevent XSS attacks
|
||||||
*
|
*
|
||||||
* @see {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content}
|
* Now uses DOMPurify instead of some self-made stuff for security reasons.
|
||||||
* @name Helper.htmlEntities
|
*
|
||||||
|
* @name Helper.sanitizeHtml
|
||||||
* @function
|
* @function
|
||||||
* @param {string} str
|
* @param {string} str
|
||||||
* @return {string} escaped HTML
|
* @return {string} escaped HTML
|
||||||
*/
|
*/
|
||||||
me.htmlEntities = function(str) {
|
me.sanitizeHtml = function(str) {
|
||||||
return String(str).replace(
|
return DOMPurify.sanitize(str, {SAFE_FOR_JQUERY: true});
|
||||||
/[&<>"'`=\/]/g, function(s) {
|
|
||||||
return entityMap[s];
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1766,9 +1757,8 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// set text
|
// set text
|
||||||
var sanitizedText = DOMPurify.sanitize(text, {SAFE_FOR_JQUERY: true})
|
Helper.setElementText($plainText, text, false);
|
||||||
Helper.setElementText($plainText, sanitizedText);
|
Helper.setElementText($prettyPrint, text, true);
|
||||||
Helper.setElementText($prettyPrint, sanitizedText);
|
|
||||||
|
|
||||||
switch (format) {
|
switch (format) {
|
||||||
case 'markdown':
|
case 'markdown':
|
||||||
|
@ -1793,15 +1783,12 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
|
|
||||||
$prettyPrint.html(
|
$prettyPrint.html(
|
||||||
prettyPrintOne(
|
prettyPrintOne(
|
||||||
Helper.htmlEntities(sanitizedText), null, true
|
Helper.sanitizeHtml(text), null, true
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
// fall through, as the rest is the same
|
// fall through, as the rest is the same
|
||||||
default: // = 'plaintext'
|
default: // = 'plaintext'
|
||||||
// convert URLs to clickable links
|
// adjust CSS so it looks good
|
||||||
Helper.urls2links($plainText);
|
|
||||||
Helper.urls2links($prettyPrint);
|
|
||||||
|
|
||||||
$prettyPrint.css('white-space', 'pre-wrap');
|
$prettyPrint.css('white-space', 'pre-wrap');
|
||||||
$prettyPrint.css('word-break', 'normal');
|
$prettyPrint.css('word-break', 'normal');
|
||||||
$prettyPrint.removeClass('prettyprint');
|
$prettyPrint.removeClass('prettyprint');
|
||||||
|
@ -2594,7 +2581,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
for (var i = 0; i < $head.length; i++) {
|
for (var i = 0; i < $head.length; i++) {
|
||||||
newDoc.write($head[i].outerHTML);
|
newDoc.write($head[i].outerHTML);
|
||||||
}
|
}
|
||||||
newDoc.write('</head><body><pre>' + Helper.htmlEntities(paste) + '</pre></body></html>');
|
newDoc.write('</head><body><pre>' + Helper.sanitizeHtml(paste) + '</pre></body></html>');
|
||||||
newDoc.close();
|
newDoc.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
40
js/test.js
40
js/test.js
|
@ -93,7 +93,7 @@ describe('Helper', function () {
|
||||||
var html = '',
|
var html = '',
|
||||||
result = true;
|
result = true;
|
||||||
ids.forEach(function(item, i) {
|
ids.forEach(function(item, i) {
|
||||||
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.htmlEntities(contents[i] || contents[0]) + '</div>';
|
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.sanitizeHtml(contents[i] || contents[0]) + '</div>';
|
||||||
});
|
});
|
||||||
var clean = jsdom(html);
|
var clean = jsdom(html);
|
||||||
ids.forEach(function(item, i) {
|
ids.forEach(function(item, i) {
|
||||||
|
@ -122,7 +122,7 @@ describe('Helper', function () {
|
||||||
var html = '',
|
var html = '',
|
||||||
result = true;
|
result = true;
|
||||||
ids.forEach(function(item, i) {
|
ids.forEach(function(item, i) {
|
||||||
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.htmlEntities(contents[i] || contents[0]) + '</div>';
|
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.sanitizeHtml(contents[i] || contents[0]) + '</div>';
|
||||||
});
|
});
|
||||||
var elements = $('<body />').html(html);
|
var elements = $('<body />').html(html);
|
||||||
ids.forEach(function(item, i) {
|
ids.forEach(function(item, i) {
|
||||||
|
@ -163,9 +163,9 @@ describe('Helper', function () {
|
||||||
var query = query.join(''),
|
var query = query.join(''),
|
||||||
fragment = fragment.join(''),
|
fragment = fragment.join(''),
|
||||||
url = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
|
url = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
|
||||||
prefix = $.PrivateBin.Helper.htmlEntities(prefix),
|
prefix = $.PrivateBin.Helper.sanitizeHtml(prefix),
|
||||||
postfix = ' ' + $.PrivateBin.Helper.htmlEntities(postfix),
|
postfix = ' ' + $.PrivateBin.Helper.sanitizeHtml(postfix),
|
||||||
element = $('<div>' + prefix + url + postfix + '</div>');
|
element = '<div>' + prefix + url + postfix + '</div>';
|
||||||
|
|
||||||
// special cases: When the query string and fragment imply the beginning of an HTML entity, eg. � or &#x
|
// special cases: When the query string and fragment imply the beginning of an HTML entity, eg. � or &#x
|
||||||
if (
|
if (
|
||||||
|
@ -175,11 +175,11 @@ describe('Helper', function () {
|
||||||
{
|
{
|
||||||
url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1);
|
url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1);
|
||||||
postfix = '';
|
postfix = '';
|
||||||
element = $('<div>' + prefix + url + '</div>');
|
element = '<div>' + prefix + url + '</div>';
|
||||||
}
|
}
|
||||||
|
|
||||||
$.PrivateBin.Helper.urls2links(element);
|
$.PrivateBin.Helper.urls2links(element);
|
||||||
return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + postfix + '</div>').html();
|
return element.html() === '<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + postfix + '</div>';
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
jsc.property(
|
jsc.property(
|
||||||
|
@ -189,8 +189,8 @@ describe('Helper', function () {
|
||||||
'string',
|
'string',
|
||||||
function (prefix, query, postfix) {
|
function (prefix, query, postfix) {
|
||||||
var url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
|
var url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
|
||||||
prefix = $.PrivateBin.Helper.htmlEntities(prefix),
|
prefix = $.PrivateBin.Helper.sanitizeHtml(prefix),
|
||||||
postfix = $.PrivateBin.Helper.htmlEntities(postfix),
|
postfix = $.PrivateBin.Helper.sanitizeHtml(postfix),
|
||||||
element = $('<div>' + prefix + url + ' ' + postfix + '</div>');
|
element = $('<div>' + prefix + url + ' ' + postfix + '</div>');
|
||||||
$.PrivateBin.Helper.urls2links(element);
|
$.PrivateBin.Helper.urls2links(element);
|
||||||
return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix + '</div>').html();
|
return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix + '</div>').html();
|
||||||
|
@ -329,7 +329,7 @@ describe('Helper', function () {
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('htmlEntities', function () {
|
describe('sanitizeHtml', function () {
|
||||||
after(function () {
|
after(function () {
|
||||||
cleanup();
|
cleanup();
|
||||||
});
|
});
|
||||||
|
@ -338,7 +338,7 @@ describe('Helper', function () {
|
||||||
'removes all HTML entities from any given string',
|
'removes all HTML entities from any given string',
|
||||||
'string',
|
'string',
|
||||||
function (string) {
|
function (string) {
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(string);
|
var result = $.PrivateBin.Helper.sanitizeHtml(string);
|
||||||
return !(/[<>"'`=\/]/.test(result)) && !(string.indexOf('&') > -1 && !(/&/.test(result)));
|
return !(/[<>"'`=\/]/.test(result)) && !(string.indexOf('&') > -1 && !(/&/.test(result)));
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
@ -583,8 +583,8 @@ describe('Model', function () {
|
||||||
'string',
|
'string',
|
||||||
'small nat',
|
'small nat',
|
||||||
function (keys, value, key) {
|
function (keys, value, key) {
|
||||||
keys = keys.map($.PrivateBin.Helper.htmlEntities);
|
keys = keys.map($.PrivateBin.Helper.sanitizeHtml);
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value);
|
value = $.PrivateBin.Helper.sanitizeHtml(value);
|
||||||
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
||||||
contents = '<select id="pasteExpiration" name="pasteExpiration">';
|
contents = '<select id="pasteExpiration" name="pasteExpiration">';
|
||||||
keys.forEach(function(item) {
|
keys.forEach(function(item) {
|
||||||
|
@ -596,7 +596,7 @@ describe('Model', function () {
|
||||||
});
|
});
|
||||||
contents += '</select>';
|
contents += '</select>';
|
||||||
$('body').html(contents);
|
$('body').html(contents);
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(
|
var result = $.PrivateBin.Helper.sanitizeHtml(
|
||||||
$.PrivateBin.Model.getExpirationDefault()
|
$.PrivateBin.Model.getExpirationDefault()
|
||||||
);
|
);
|
||||||
$.PrivateBin.Model.reset();
|
$.PrivateBin.Model.reset();
|
||||||
|
@ -617,8 +617,8 @@ describe('Model', function () {
|
||||||
'string',
|
'string',
|
||||||
'small nat',
|
'small nat',
|
||||||
function (keys, value, key) {
|
function (keys, value, key) {
|
||||||
keys = keys.map($.PrivateBin.Helper.htmlEntities);
|
keys = keys.map($.PrivateBin.Helper.sanitizeHtml);
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value);
|
value = $.PrivateBin.Helper.sanitizeHtml(value);
|
||||||
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
||||||
contents = '<select id="pasteFormatter" name="pasteFormatter">';
|
contents = '<select id="pasteFormatter" name="pasteFormatter">';
|
||||||
keys.forEach(function(item) {
|
keys.forEach(function(item) {
|
||||||
|
@ -630,7 +630,7 @@ describe('Model', function () {
|
||||||
});
|
});
|
||||||
contents += '</select>';
|
contents += '</select>';
|
||||||
$('body').html(contents);
|
$('body').html(contents);
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(
|
var result = $.PrivateBin.Helper.sanitizeHtml(
|
||||||
$.PrivateBin.Model.getFormatDefault()
|
$.PrivateBin.Model.getFormatDefault()
|
||||||
);
|
);
|
||||||
$.PrivateBin.Model.reset();
|
$.PrivateBin.Model.reset();
|
||||||
|
@ -649,7 +649,7 @@ describe('Model', function () {
|
||||||
'checks if the element with id "cipherdata" contains any data',
|
'checks if the element with id "cipherdata" contains any data',
|
||||||
'asciistring',
|
'asciistring',
|
||||||
function (value) {
|
function (value) {
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value).trim();
|
value = $.PrivateBin.Helper.sanitizeHtml(value).trim();
|
||||||
$('body').html('<div id="cipherdata">' + value + '</div>');
|
$('body').html('<div id="cipherdata">' + value + '</div>');
|
||||||
$.PrivateBin.Model.init();
|
$.PrivateBin.Model.init();
|
||||||
var result = $.PrivateBin.Model.hasCipherData();
|
var result = $.PrivateBin.Model.hasCipherData();
|
||||||
|
@ -669,10 +669,10 @@ describe('Model', function () {
|
||||||
'returns the contents of the element with id "cipherdata"',
|
'returns the contents of the element with id "cipherdata"',
|
||||||
'asciistring',
|
'asciistring',
|
||||||
function (value) {
|
function (value) {
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value).trim();
|
value = $.PrivateBin.Helper.sanitizeHtml(value).trim();
|
||||||
$('body').html('<div id="cipherdata">' + value + '</div>');
|
$('body').html('<div id="cipherdata">' + value + '</div>');
|
||||||
$.PrivateBin.Model.init();
|
$.PrivateBin.Model.init();
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(
|
var result = $.PrivateBin.Helper.sanitizeHtml(
|
||||||
$.PrivateBin.Model.getCipherData()
|
$.PrivateBin.Model.getCipherData()
|
||||||
);
|
);
|
||||||
$.PrivateBin.Model.reset();
|
$.PrivateBin.Model.reset();
|
||||||
|
|
Loading…
Reference in New Issue