Merge branch 'sanitizeMarkdown'
This commit is contained in:
commit
9f973edb7d
|
@ -11,6 +11,7 @@ env:
|
||||||
|
|
||||||
globals:
|
globals:
|
||||||
sjcl: false
|
sjcl: false
|
||||||
|
DOMPurify: false
|
||||||
|
|
||||||
# http://eslint.org/docs/rules/
|
# http://eslint.org/docs/rules/
|
||||||
rules:
|
rules:
|
||||||
|
|
110
js/privatebin.js
110
js/privatebin.js
|
@ -12,6 +12,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/** global: Base64 */
|
/** global: Base64 */
|
||||||
|
/** global: DOMPurify */
|
||||||
/** global: FileReader */
|
/** global: FileReader */
|
||||||
/** global: RawDeflate */
|
/** global: RawDeflate */
|
||||||
/** global: history */
|
/** global: history */
|
||||||
|
@ -42,26 +43,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
var Helper = (function () {
|
var Helper = (function () {
|
||||||
var me = {};
|
var me = {};
|
||||||
|
|
||||||
/**
|
|
||||||
* character to HTML entity lookup table
|
|
||||||
*
|
|
||||||
* @see {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60}
|
|
||||||
* @name Helper.entityMap
|
|
||||||
* @private
|
|
||||||
* @enum {Object}
|
|
||||||
* @readonly
|
|
||||||
*/
|
|
||||||
var entityMap = {
|
|
||||||
'&': '&',
|
|
||||||
'<': '<',
|
|
||||||
'>': '>',
|
|
||||||
'"': '"',
|
|
||||||
"'": ''',
|
|
||||||
'/': '/',
|
|
||||||
'`': '`',
|
|
||||||
'=': '='
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* cache for script location
|
* cache for script location
|
||||||
*
|
*
|
||||||
|
@ -133,28 +114,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* set text of a jQuery element (required for IE),
|
|
||||||
*
|
|
||||||
* @name Helper.setElementText
|
|
||||||
* @function
|
|
||||||
* @param {jQuery} $element - a jQuery element
|
|
||||||
* @param {string} text - the text to enter
|
|
||||||
*/
|
|
||||||
me.setElementText = function($element, text)
|
|
||||||
{
|
|
||||||
// For IE<10: Doesn't support white-space:pre-wrap; so we have to do this...
|
|
||||||
if ($('#oldienotice').is(':visible')) {
|
|
||||||
var html = me.htmlEntities(text).replace(/\n/ig, '\r\n<br>');
|
|
||||||
$element.html('<pre>' + html + '</pre>');
|
|
||||||
}
|
|
||||||
// for other (sane) browsers:
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$element.text(text);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* convert URLs to clickable links.
|
* convert URLs to clickable links.
|
||||||
* URLs to handle:
|
* URLs to handle:
|
||||||
|
@ -166,22 +125,14 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
*
|
*
|
||||||
* @name Helper.urls2links
|
* @name Helper.urls2links
|
||||||
* @function
|
* @function
|
||||||
* @param {Object} $element - a jQuery DOM element
|
* @param {string} html
|
||||||
|
* @return {string}
|
||||||
*/
|
*/
|
||||||
me.urls2links = function($element)
|
me.urls2links = function(html)
|
||||||
{
|
{
|
||||||
var markup = '<a href="$1" rel="nofollow">$1</a>';
|
return html.replace(
|
||||||
$element.html(
|
/(((http|https|ftp):\/\/[\w?=&.\/-;#@~%+*-]+(?![\w\s?&.\/;#~%"=-]*>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
|
||||||
$element.html().replace(
|
'<a href="$1" rel="nofollow">$1</a>'
|
||||||
/((http|https|ftp):\/\/[\w?=&.\/-;#@~%+*-]+(?![\w\s?&.\/;#~%"=-]*>))/ig,
|
|
||||||
markup
|
|
||||||
)
|
|
||||||
);
|
|
||||||
$element.html(
|
|
||||||
$element.html().replace(
|
|
||||||
/((magnet):[\w?=&.\/-;#@~%+*-]+)/ig,
|
|
||||||
markup
|
|
||||||
)
|
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -268,22 +219,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
return baseUri;
|
return baseUri;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* convert all applicable characters to HTML entities
|
|
||||||
*
|
|
||||||
* @see {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content}
|
|
||||||
* @name Helper.htmlEntities
|
|
||||||
* @function
|
|
||||||
* @param {string} str
|
|
||||||
* @return {string} escaped HTML
|
|
||||||
*/
|
|
||||||
me.htmlEntities = function(str) {
|
|
||||||
return String(str).replace(
|
|
||||||
/[&<>"'`=\/]/g, function(s) {
|
|
||||||
return entityMap[s];
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* resets state, used for unit testing
|
* resets state, used for unit testing
|
||||||
*
|
*
|
||||||
|
@ -1764,9 +1699,10 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// set text
|
// set sanitized and linked text
|
||||||
Helper.setElementText($plainText, text);
|
var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text), {SAFE_FOR_JQUERY: true});
|
||||||
Helper.setElementText($prettyPrint, text);
|
$plainText.html(sanitizedLinkedText);
|
||||||
|
$prettyPrint.html(sanitizedLinkedText);
|
||||||
|
|
||||||
switch (format) {
|
switch (format) {
|
||||||
case 'markdown':
|
case 'markdown':
|
||||||
|
@ -1775,30 +1711,28 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
tables: true,
|
tables: true,
|
||||||
tablesHeaderId: true
|
tablesHeaderId: true
|
||||||
});
|
});
|
||||||
|
// let showdown convert the HTML and sanitize HTML *afterwards*!
|
||||||
$plainText.html(
|
$plainText.html(
|
||||||
converter.makeHtml(text)
|
DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true})
|
||||||
);
|
);
|
||||||
// add table classes from bootstrap css
|
// add table classes from bootstrap css
|
||||||
$plainText.find('table').addClass('table-condensed table-bordered');
|
$plainText.find('table').addClass('table-condensed table-bordered');
|
||||||
break;
|
break;
|
||||||
case 'syntaxhighlighting':
|
case 'syntaxhighlighting':
|
||||||
// @TODO is this really needed or is "one" enough?
|
// yes, this is really needed to initialize the environment
|
||||||
if (typeof prettyPrint === 'function')
|
if (typeof prettyPrint === 'function')
|
||||||
{
|
{
|
||||||
prettyPrint();
|
prettyPrint();
|
||||||
}
|
}
|
||||||
|
|
||||||
$prettyPrint.html(
|
$prettyPrint.html(
|
||||||
prettyPrintOne(
|
DOMPurify.sanitize(
|
||||||
Helper.htmlEntities(text), null, true
|
prettyPrintOne(Helper.urls2links(text), null, true),
|
||||||
|
{SAFE_FOR_JQUERY: true}
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
// fall through, as the rest is the same
|
// fall through, as the rest is the same
|
||||||
default: // = 'plaintext'
|
default: // = 'plaintext'
|
||||||
// convert URLs to clickable links
|
|
||||||
Helper.urls2links($plainText);
|
|
||||||
Helper.urls2links($prettyPrint);
|
|
||||||
|
|
||||||
$prettyPrint.css('white-space', 'pre-wrap');
|
$prettyPrint.css('white-space', 'pre-wrap');
|
||||||
$prettyPrint.css('word-break', 'normal');
|
$prettyPrint.css('word-break', 'normal');
|
||||||
$prettyPrint.removeClass('prettyprint');
|
$prettyPrint.removeClass('prettyprint');
|
||||||
|
@ -2287,8 +2221,12 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
var $commentEntryData = $commentEntry.find('div.commentdata');
|
var $commentEntryData = $commentEntry.find('div.commentdata');
|
||||||
|
|
||||||
// set & parse text
|
// set & parse text
|
||||||
Helper.setElementText($commentEntryData, commentText);
|
$commentEntryData.html(
|
||||||
Helper.urls2links($commentEntryData);
|
DOMPurify.sanitize(
|
||||||
|
Helper.urls2links(commentText),
|
||||||
|
{SAFE_FOR_JQUERY: true}
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
// set nickname
|
// set nickname
|
||||||
if (nickname.length > 0) {
|
if (nickname.length > 0) {
|
||||||
|
@ -2591,7 +2529,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
|
||||||
for (var i = 0; i < $head.length; i++) {
|
for (var i = 0; i < $head.length; i++) {
|
||||||
newDoc.write($head[i].outerHTML);
|
newDoc.write($head[i].outerHTML);
|
||||||
}
|
}
|
||||||
newDoc.write('</head><body><pre>' + Helper.htmlEntities(paste) + '</pre></body></html>');
|
newDoc.write('</head><body><pre>' + DOMPurify.sanitize(paste, {SAFE_FOR_JQUERY: true}) + '</pre></body></html>');
|
||||||
newDoc.close();
|
newDoc.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
118
js/test.js
118
js/test.js
|
@ -15,6 +15,22 @@ var jsc = require('jsverify'),
|
||||||
// schemas supported by the whatwg-url library
|
// schemas supported by the whatwg-url library
|
||||||
schemas = ['ftp','gopher','http','https','ws','wss'],
|
schemas = ['ftp','gopher','http','https','ws','wss'],
|
||||||
supportedLanguages = ['de', 'es', 'fr', 'it', 'no', 'pl', 'pt', 'oc', 'ru', 'sl', 'zh'],
|
supportedLanguages = ['de', 'es', 'fr', 'it', 'no', 'pl', 'pt', 'oc', 'ru', 'sl', 'zh'],
|
||||||
|
|
||||||
|
/**
|
||||||
|
* character to HTML entity lookup table
|
||||||
|
*
|
||||||
|
* @see {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60}
|
||||||
|
*/
|
||||||
|
entityMap = {
|
||||||
|
'&': '&',
|
||||||
|
'<': '<',
|
||||||
|
'>': '>',
|
||||||
|
'"': '"',
|
||||||
|
"'": ''',
|
||||||
|
'/': '/',
|
||||||
|
'`': '`',
|
||||||
|
'=': '='
|
||||||
|
},
|
||||||
logFile = require('fs').createWriteStream('test.log');
|
logFile = require('fs').createWriteStream('test.log');
|
||||||
|
|
||||||
global.$ = global.jQuery = require('./jquery-3.1.1');
|
global.$ = global.jQuery = require('./jquery-3.1.1');
|
||||||
|
@ -26,6 +42,7 @@ require('./prettify');
|
||||||
global.prettyPrint = window.PR.prettyPrint;
|
global.prettyPrint = window.PR.prettyPrint;
|
||||||
global.prettyPrintOne = window.PR.prettyPrintOne;
|
global.prettyPrintOne = window.PR.prettyPrintOne;
|
||||||
global.showdown = require('./showdown-1.6.1');
|
global.showdown = require('./showdown-1.6.1');
|
||||||
|
global.DOMPurify = require('./purify.min');
|
||||||
require('./bootstrap-3.3.7');
|
require('./bootstrap-3.3.7');
|
||||||
require('./privatebin');
|
require('./privatebin');
|
||||||
|
|
||||||
|
@ -34,6 +51,22 @@ console.info = console.warn = console.error = function () {
|
||||||
logFile.write(Array.prototype.slice.call(arguments).join('') + '\n');
|
logFile.write(Array.prototype.slice.call(arguments).join('') + '\n');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* convert all applicable characters to HTML entities
|
||||||
|
*
|
||||||
|
* @see {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content}
|
||||||
|
* @name htmlEntities
|
||||||
|
* @function
|
||||||
|
* @param {string} str
|
||||||
|
* @return {string} escaped HTML
|
||||||
|
*/
|
||||||
|
function htmlEntities(str) {
|
||||||
|
return String(str).replace(
|
||||||
|
/[&<>"'`=\/]/g, function(s) {
|
||||||
|
return entityMap[s];
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
describe('Helper', function () {
|
describe('Helper', function () {
|
||||||
describe('secondsToHuman', function () {
|
describe('secondsToHuman', function () {
|
||||||
after(function () {
|
after(function () {
|
||||||
|
@ -92,7 +125,7 @@ describe('Helper', function () {
|
||||||
var html = '',
|
var html = '',
|
||||||
result = true;
|
result = true;
|
||||||
ids.forEach(function(item, i) {
|
ids.forEach(function(item, i) {
|
||||||
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.htmlEntities(contents[i] || contents[0]) + '</div>';
|
html += '<div id="' + item.join('') + '">' + htmlEntities(contents[i] || contents[0]) + '</div>';
|
||||||
});
|
});
|
||||||
var clean = jsdom(html);
|
var clean = jsdom(html);
|
||||||
ids.forEach(function(item, i) {
|
ids.forEach(function(item, i) {
|
||||||
|
@ -107,34 +140,6 @@ describe('Helper', function () {
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('setElementText', function () {
|
|
||||||
after(function () {
|
|
||||||
cleanup();
|
|
||||||
});
|
|
||||||
|
|
||||||
jsc.property(
|
|
||||||
'replaces the content of an element',
|
|
||||||
jsc.nearray(jsc.nearray(jsc.elements(alnumString))),
|
|
||||||
'nearray string',
|
|
||||||
'string',
|
|
||||||
function (ids, contents, replacingContent) {
|
|
||||||
var html = '',
|
|
||||||
result = true;
|
|
||||||
ids.forEach(function(item, i) {
|
|
||||||
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.htmlEntities(contents[i] || contents[0]) + '</div>';
|
|
||||||
});
|
|
||||||
var elements = $('<body />').html(html);
|
|
||||||
ids.forEach(function(item, i) {
|
|
||||||
var id = item.join(''),
|
|
||||||
element = elements.find('#' + id).first();
|
|
||||||
$.PrivateBin.Helper.setElementText(element, replacingContent);
|
|
||||||
result *= replacingContent === element.text();
|
|
||||||
});
|
|
||||||
return Boolean(result);
|
|
||||||
}
|
|
||||||
);
|
|
||||||
});
|
|
||||||
|
|
||||||
describe('urls2links', function () {
|
describe('urls2links', function () {
|
||||||
after(function () {
|
after(function () {
|
||||||
cleanup();
|
cleanup();
|
||||||
|
@ -144,10 +149,7 @@ describe('Helper', function () {
|
||||||
'ignores non-URL content',
|
'ignores non-URL content',
|
||||||
'string',
|
'string',
|
||||||
function (content) {
|
function (content) {
|
||||||
var element = $('<div>' + content + '</div>'),
|
return content === $.PrivateBin.Helper.urls2links(content);
|
||||||
before = element.html();
|
|
||||||
$.PrivateBin.Helper.urls2links(element);
|
|
||||||
return before === element.html();
|
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
jsc.property(
|
jsc.property(
|
||||||
|
@ -162,9 +164,8 @@ describe('Helper', function () {
|
||||||
var query = query.join(''),
|
var query = query.join(''),
|
||||||
fragment = fragment.join(''),
|
fragment = fragment.join(''),
|
||||||
url = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
|
url = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
|
||||||
prefix = $.PrivateBin.Helper.htmlEntities(prefix),
|
prefix = htmlEntities(prefix),
|
||||||
postfix = ' ' + $.PrivateBin.Helper.htmlEntities(postfix),
|
postfix = ' ' + htmlEntities(postfix);
|
||||||
element = $('<div>' + prefix + url + postfix + '</div>');
|
|
||||||
|
|
||||||
// special cases: When the query string and fragment imply the beginning of an HTML entity, eg. � or &#x
|
// special cases: When the query string and fragment imply the beginning of an HTML entity, eg. � or &#x
|
||||||
if (
|
if (
|
||||||
|
@ -174,11 +175,9 @@ describe('Helper', function () {
|
||||||
{
|
{
|
||||||
url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1);
|
url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1);
|
||||||
postfix = '';
|
postfix = '';
|
||||||
element = $('<div>' + prefix + url + '</div>');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$.PrivateBin.Helper.urls2links(element);
|
return prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + postfix === $.PrivateBin.Helper.urls2links(prefix + url + postfix);
|
||||||
return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + postfix + '</div>').html();
|
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
jsc.property(
|
jsc.property(
|
||||||
|
@ -188,11 +187,9 @@ describe('Helper', function () {
|
||||||
'string',
|
'string',
|
||||||
function (prefix, query, postfix) {
|
function (prefix, query, postfix) {
|
||||||
var url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
|
var url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
|
||||||
prefix = $.PrivateBin.Helper.htmlEntities(prefix),
|
prefix = htmlEntities(prefix),
|
||||||
postfix = $.PrivateBin.Helper.htmlEntities(postfix),
|
postfix = htmlEntities(postfix);
|
||||||
element = $('<div>' + prefix + url + ' ' + postfix + '</div>');
|
return prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix === $.PrivateBin.Helper.urls2links(prefix + url + ' ' + postfix);
|
||||||
$.PrivateBin.Helper.urls2links(element);
|
|
||||||
return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix + '</div>').html();
|
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
@ -337,7 +334,7 @@ describe('Helper', function () {
|
||||||
'removes all HTML entities from any given string',
|
'removes all HTML entities from any given string',
|
||||||
'string',
|
'string',
|
||||||
function (string) {
|
function (string) {
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(string);
|
var result = htmlEntities(string);
|
||||||
return !(/[<>"'`=\/]/.test(result)) && !(string.indexOf('&') > -1 && !(/&/.test(result)));
|
return !(/[<>"'`=\/]/.test(result)) && !(string.indexOf('&') > -1 && !(/&/.test(result)));
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
@ -582,8 +579,8 @@ describe('Model', function () {
|
||||||
'string',
|
'string',
|
||||||
'small nat',
|
'small nat',
|
||||||
function (keys, value, key) {
|
function (keys, value, key) {
|
||||||
keys = keys.map($.PrivateBin.Helper.htmlEntities);
|
keys = keys.map(htmlEntities);
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value);
|
value = htmlEntities(value);
|
||||||
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
||||||
contents = '<select id="pasteExpiration" name="pasteExpiration">';
|
contents = '<select id="pasteExpiration" name="pasteExpiration">';
|
||||||
keys.forEach(function(item) {
|
keys.forEach(function(item) {
|
||||||
|
@ -595,7 +592,7 @@ describe('Model', function () {
|
||||||
});
|
});
|
||||||
contents += '</select>';
|
contents += '</select>';
|
||||||
$('body').html(contents);
|
$('body').html(contents);
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(
|
var result = htmlEntities(
|
||||||
$.PrivateBin.Model.getExpirationDefault()
|
$.PrivateBin.Model.getExpirationDefault()
|
||||||
);
|
);
|
||||||
$.PrivateBin.Model.reset();
|
$.PrivateBin.Model.reset();
|
||||||
|
@ -616,8 +613,8 @@ describe('Model', function () {
|
||||||
'string',
|
'string',
|
||||||
'small nat',
|
'small nat',
|
||||||
function (keys, value, key) {
|
function (keys, value, key) {
|
||||||
keys = keys.map($.PrivateBin.Helper.htmlEntities);
|
keys = keys.map(htmlEntities);
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value);
|
value = htmlEntities(value);
|
||||||
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
||||||
contents = '<select id="pasteFormatter" name="pasteFormatter">';
|
contents = '<select id="pasteFormatter" name="pasteFormatter">';
|
||||||
keys.forEach(function(item) {
|
keys.forEach(function(item) {
|
||||||
|
@ -629,7 +626,7 @@ describe('Model', function () {
|
||||||
});
|
});
|
||||||
contents += '</select>';
|
contents += '</select>';
|
||||||
$('body').html(contents);
|
$('body').html(contents);
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(
|
var result = htmlEntities(
|
||||||
$.PrivateBin.Model.getFormatDefault()
|
$.PrivateBin.Model.getFormatDefault()
|
||||||
);
|
);
|
||||||
$.PrivateBin.Model.reset();
|
$.PrivateBin.Model.reset();
|
||||||
|
@ -648,7 +645,7 @@ describe('Model', function () {
|
||||||
'checks if the element with id "cipherdata" contains any data',
|
'checks if the element with id "cipherdata" contains any data',
|
||||||
'asciistring',
|
'asciistring',
|
||||||
function (value) {
|
function (value) {
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value).trim();
|
value = htmlEntities(value).trim();
|
||||||
$('body').html('<div id="cipherdata">' + value + '</div>');
|
$('body').html('<div id="cipherdata">' + value + '</div>');
|
||||||
$.PrivateBin.Model.init();
|
$.PrivateBin.Model.init();
|
||||||
var result = $.PrivateBin.Model.hasCipherData();
|
var result = $.PrivateBin.Model.hasCipherData();
|
||||||
|
@ -668,10 +665,10 @@ describe('Model', function () {
|
||||||
'returns the contents of the element with id "cipherdata"',
|
'returns the contents of the element with id "cipherdata"',
|
||||||
'asciistring',
|
'asciistring',
|
||||||
function (value) {
|
function (value) {
|
||||||
value = $.PrivateBin.Helper.htmlEntities(value).trim();
|
value = htmlEntities(value).trim();
|
||||||
$('body').html('<div id="cipherdata">' + value + '</div>');
|
$('body').html('<div id="cipherdata">' + value + '</div>');
|
||||||
$.PrivateBin.Model.init();
|
$.PrivateBin.Model.init();
|
||||||
var result = $.PrivateBin.Helper.htmlEntities(
|
var result = htmlEntities(
|
||||||
$.PrivateBin.Model.getCipherData()
|
$.PrivateBin.Model.getCipherData()
|
||||||
);
|
);
|
||||||
$.PrivateBin.Model.reset();
|
$.PrivateBin.Model.reset();
|
||||||
|
@ -1450,8 +1447,6 @@ describe('PasteViewer', function () {
|
||||||
// https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
// https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||||||
jsc.elements([
|
jsc.elements([
|
||||||
'<PLAINTEXT>',
|
'<PLAINTEXT>',
|
||||||
'\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";',
|
|
||||||
'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--',
|
|
||||||
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
|
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
|
||||||
'\'\';!--"<XSS>=&{()}',
|
'\'\';!--"<XSS>=&{()}',
|
||||||
'<SCRIPT SRC=http://example.com/xss.js></SCRIPT>',
|
'<SCRIPT SRC=http://example.com/xss.js></SCRIPT>',
|
||||||
|
@ -1464,8 +1459,12 @@ describe('PasteViewer', function () {
|
||||||
'<a onmouseover="alert(document.cookie)">xxs link</a>',
|
'<a onmouseover="alert(document.cookie)">xxs link</a>',
|
||||||
'<a onmouseover=alert(document.cookie)>xxs link</a>',
|
'<a onmouseover=alert(document.cookie)>xxs link</a>',
|
||||||
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
|
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
|
||||||
'<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'
|
'<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>',
|
||||||
// the list goes on…
|
'<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
|
||||||
|
'<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>',
|
||||||
|
'<TABLE BACKGROUND="javascript:alert(\'XSS\')">',
|
||||||
|
'<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">',
|
||||||
|
'<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://xss.rocks/xss.js"></SCRIPT>'
|
||||||
]),
|
]),
|
||||||
'string',
|
'string',
|
||||||
function (format, prefix, xss, suffix) {
|
function (format, prefix, xss, suffix) {
|
||||||
|
@ -1481,11 +1480,10 @@ describe('PasteViewer', function () {
|
||||||
$.PrivateBin.PasteViewer.setFormat(format);
|
$.PrivateBin.PasteViewer.setFormat(format);
|
||||||
$.PrivateBin.PasteViewer.setText(text);
|
$.PrivateBin.PasteViewer.setText(text);
|
||||||
$.PrivateBin.PasteViewer.run();
|
$.PrivateBin.PasteViewer.run();
|
||||||
var result = $('body').html().indexOf(xss) !== -1;
|
var result = $('body').html().indexOf(xss) === -1;
|
||||||
clean();
|
clean();
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
@ -66,10 +66,11 @@ endif;
|
||||||
if ($MARKDOWN):
|
if ($MARKDOWN):
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
|
||||||
|
<script type="text/javascript" src="js/purify.min.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-jJuy143F5Oy7oS3VkjzeJGBxIUuQ1H0eSjuvLGD3FiQzeu8Pwp5vI/jQ2dxlxSrzejmNMicdLHnIqH7R8Ft0lQ==" crossorigin="anonymous"></script>
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NWkO7YojpZyTn/xpIjVwo+VBSVKIfxHjE9NC41GzcWgt3w36XNZ+wYZZjXLJh44rBj9qBmZiXvvt9g5iNkadlg==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-EvNAh1GXOoUiGZ/W8iPtzsce06bvVHy6+ajJztmfSgdQcKMPoj0dB8j1FC90MEChl7MOeR4xozvDymH/6HwIlA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
|
@ -44,10 +44,11 @@ endif;
|
||||||
if ($MARKDOWN):
|
if ($MARKDOWN):
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
|
||||||
|
<script type="text/javascript" src="js/purify.min.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-jJuy143F5Oy7oS3VkjzeJGBxIUuQ1H0eSjuvLGD3FiQzeu8Pwp5vI/jQ2dxlxSrzejmNMicdLHnIqH7R8Ft0lQ==" crossorigin="anonymous"></script>
|
||||||
<?php
|
<?php
|
||||||
endif;
|
endif;
|
||||||
?>
|
?>
|
||||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NWkO7YojpZyTn/xpIjVwo+VBSVKIfxHjE9NC41GzcWgt3w36XNZ+wYZZjXLJh44rBj9qBmZiXvvt9g5iNkadlg==" crossorigin="anonymous"></script>
|
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-EvNAh1GXOoUiGZ/W8iPtzsce06bvVHy6+ajJztmfSgdQcKMPoj0dB8j1FC90MEChl7MOeR4xozvDymH/6HwIlA==" crossorigin="anonymous"></script>
|
||||||
<!--[if lt IE 10]>
|
<!--[if lt IE 10]>
|
||||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||||
<![endif]-->
|
<![endif]-->
|
||||||
|
|
Loading…
Reference in New Issue