updating DOMPurify library, simplifying its use, ensuring HTML entities get escaped before formatting paste - regression introduced in #258, reported in #269

2018-01-01 10:25:07 +01:00 · 2018-01-01 10:25:07 +01:00 · bb54d46c7e
parent 6093f0cc9c
commit bb54d46c7e
6 changed files with 16 additions and 16 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@ -1700,7 +1700,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
            }

            // set sanitized and linked text
-            var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text), {SAFE_FOR_JQUERY: true});
+            var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text));
            $plainText.html(sanitizedLinkedText);
            $prettyPrint.html(sanitizedLinkedText);

@ -1713,7 +1713,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
                    });
                    // let showdown convert the HTML and sanitize HTML *afterwards*!
                    $plainText.html(
-                        DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true})
+                        DOMPurify.sanitize(converter.makeHtml(text))
                    );
                    // add table classes from bootstrap css
                    $plainText.find('table').addClass('table-condensed table-bordered');
@ -1727,8 +1727,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {

                    $prettyPrint.html(
                        DOMPurify.sanitize(
-                            prettyPrintOne(Helper.urls2links(text), null, true),
-                            {SAFE_FOR_JQUERY: true}
+                            prettyPrintOne(Helper.urls2links(text), null, true)
                        )
                    );
                    // fall through, as the rest is the same
@ -1824,6 +1823,8 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
         */
        me.setText = function(newText)
        {
+            // escape HTML entities
+            newText = $('<div />').text(newText).html();
            if (text !== newText) {
                text = newText;
                isChanged = true;
@ -2223,8 +2224,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
            // set & parse text
            $commentEntryData.html(
                DOMPurify.sanitize(
-                    Helper.urls2links(commentText),
-                    {SAFE_FOR_JQUERY: true}
+                    Helper.urls2links(commentText)
                )
            );

@ -2529,7 +2529,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
            for (var i = 0; i < $head.length; i++) {
                newDoc.write($head[i].outerHTML);
            }
-            newDoc.write('</head><body><pre>' + DOMPurify.sanitize(paste, {SAFE_FOR_JQUERY: true}) + '</pre></body></html>');
+            newDoc.write('</head><body><pre>' + DOMPurify.sanitize(paste) + '</pre></body></html>');
            newDoc.close();
        }

@ -3939,10 +3939,11 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
            // first load translations
            I18n.loadTranslations();

+            DOMPurify.setConfig({SAFE_FOR_JQUERY: true});
+
            // initialize other modules/"classes"
            Alert.init();
            Model.init();
-
            AttachmentViewer.init();
            DiscussionViewer.init();
            Editor.init();
--- a/js/purify-1.0.3.js
+++ b/js/purify-1.0.3.js
--- a/js/purify.min.js
+++ b/js/purify.min.js
--- a/js/test.js
+++ b/js/test.js
@ -42,7 +42,7 @@ require('./prettify');
 global.prettyPrint = window.PR.prettyPrint;
 global.prettyPrintOne = window.PR.prettyPrintOne;
 global.showdown = require('./showdown-1.6.1');
-global.DOMPurify = require('./purify.min');
+global.DOMPurify = require('./purify-1.0.3');
 require('./bootstrap-3.3.7');
 require('./privatebin');

@ -1422,7 +1422,7 @@ describe('PasteViewer', function () {
                results.push(
                    $('#placeholder').hasClass('hidden') &&
                    !$.PrivateBin.PasteViewer.isPrettyPrinted() &&
-                    $.PrivateBin.PasteViewer.getText() == text
+                    $.PrivateBin.PasteViewer.getText() == $('<div />').text(text).html()
                );
                if (format == 'markdown') {
                    results.push(
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@ -66,11 +66,11 @@ endif;
 if ($MARKDOWN):
 ?>
 		<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
-		<script type="text/javascript" src="js/purify.min.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-jJuy143F5Oy7oS3VkjzeJGBxIUuQ1H0eSjuvLGD3FiQzeu8Pwp5vI/jQ2dxlxSrzejmNMicdLHnIqH7R8Ft0lQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/purify-1.0.3.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-uhzhZJSgc+XJoaxCOjiuRzQaf5klPlSSVKGw69+zT72hhfLbVwB4jbwI+f7NRucuRz6u0aFGMeZ+0PnGh73iBQ==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
-		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-EvNAh1GXOoUiGZ/W8iPtzsce06bvVHy6+ajJztmfSgdQcKMPoj0dB8j1FC90MEChl7MOeR4xozvDymH/6HwIlA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-51v9MtL1fUeIOp2VekfHq4VR6kdR/SyYqkAT1WGRZXDP5+ct6A1qktVW9HNNL6EXYQbMpzgVuYUIZ6HhULcGSA==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
--- a/tpl/page.php
+++ b/tpl/page.php
@ -44,11 +44,11 @@ endif;
 if ($MARKDOWN):
 ?>
 		<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
-		<script type="text/javascript" src="js/purify.min.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-jJuy143F5Oy7oS3VkjzeJGBxIUuQ1H0eSjuvLGD3FiQzeu8Pwp5vI/jQ2dxlxSrzejmNMicdLHnIqH7R8Ft0lQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/purify-1.0.3.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-uhzhZJSgc+XJoaxCOjiuRzQaf5klPlSSVKGw69+zT72hhfLbVwB4jbwI+f7NRucuRz6u0aFGMeZ+0PnGh73iBQ==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
-		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-EvNAh1GXOoUiGZ/W8iPtzsce06bvVHy6+ajJztmfSgdQcKMPoj0dB8j1FC90MEChl7MOeR4xozvDymH/6HwIlA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-51v9MtL1fUeIOp2VekfHq4VR6kdR/SyYqkAT1WGRZXDP5+ct6A1qktVW9HNNL6EXYQbMpzgVuYUIZ6HhULcGSA==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->