applying HTML entity cleanup to raw paste, too, fixing #137

2016-12-25 13:04:06 +01:00
parent 97cbcb0aab
commit 1badd5e542
8 changed files with 9 additions and 7 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -295,6 +295,7 @@ $(function() {
        /**
         * Convert all applicable characters to HTML entities.
         * From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60
+         * Also: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
         *
         * @param string str
         * @return string escaped HTML
@@ -1279,7 +1280,7 @@ $(function() {
            // we use text/html instead of text/plain to avoid a bug when
            // reloading the raw text view (it reverts to type text/html)
            var newDoc = document.open('text/html', 'replace');
-            newDoc.write('<pre>' + paste + '</pre>');
+            newDoc.write('<pre>' + helper.htmlEntities(paste) + '</pre>');
            newDoc.close();
        },