correcting the XSS test, commenting two failing patterns, to be reviewed by @rugk

2017-11-22 07:03:29 +01:00
parent 233bd65b00
commit 2d00202b42
4 changed files with 18 additions and 7 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -12,6 +12,7 @@
 */

 /** global: Base64 */
+/** global: DOMPurify */
 /** global: FileReader */
 /** global: RawDeflate */
 /** global: history */
@@ -1777,7 +1778,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
                    });
                    // let showdown convert the HTML and sanitize HTML *afterwards*!
                    $plainText.html(
-                        /** global: DOMPurify */
                        DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true})
                    );
                    // add table classes from bootstrap css
@@ -1800,6 +1800,16 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
                    // convert URLs to clickable links
                    Helper.urls2links($plainText);
                    Helper.urls2links($prettyPrint);
+                    $plainText.html(
+                        DOMPurify.sanitize(
+                            $plainText.html(), {SAFE_FOR_JQUERY: true}
+                        )
+                    );
+                    $prettyPrint.html(
+                        DOMPurify.sanitize(
+                            $prettyPrint.html(), {SAFE_FOR_JQUERY: true}
+                        )
+                    );

                    $prettyPrint.css('white-space', 'pre-wrap');
                    $prettyPrint.css('word-break', 'normal');