From 9fa2ea3373dbce0396572df4aa8510ede87d0008 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 22 Nov 2017 08:05:06 +0100 Subject: [PATCH] ensuring text is sanitized in all cases, before being injected into the DOM --- js/privatebin.js | 17 ++++------------- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/js/privatebin.js b/js/privatebin.js index 77e458f..86b6046 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -1766,8 +1766,9 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { } // set text - Helper.setElementText($plainText, text); - Helper.setElementText($prettyPrint, text); + var sanitizedText = DOMPurify.sanitize(text, {SAFE_FOR_JQUERY: true}) + Helper.setElementText($plainText, sanitizedText); + Helper.setElementText($prettyPrint, sanitizedText); switch (format) { case 'markdown': @@ -1792,7 +1793,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { $prettyPrint.html( prettyPrintOne( - Helper.htmlEntities(text), null, true + Helper.htmlEntities(sanitizedText), null, true ) ); // fall through, as the rest is the same @@ -1800,16 +1801,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { // convert URLs to clickable links Helper.urls2links($plainText); Helper.urls2links($prettyPrint); - $plainText.html( - DOMPurify.sanitize( - $plainText.html(), {SAFE_FOR_JQUERY: true} - ) - ); - $prettyPrint.html( - DOMPurify.sanitize( - $prettyPrint.html(), {SAFE_FOR_JQUERY: true} - ) - ); $prettyPrint.css('white-space', 'pre-wrap'); $prettyPrint.css('word-break', 'normal'); diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index aee9583..89cd4ff 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -70,7 +70,7 @@ if ($MARKDOWN): - + diff --git a/tpl/page.php b/tpl/page.php index 1d7355b..c59fba7 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -48,7 +48,7 @@ if ($MARKDOWN): - +