several changes:
- added tests for all 4 cases: output to string or into element vs first param contains link or not - cleaned up logic - skip HTML entity encoding only if we can ensure insertion to text node / when output to string, we always encode - DOMpurify sanitizes gopher, ws & wss links, which we previosly had tested for
This commit is contained in:
El RIDO
@@ -50,7 +50,7 @@ endif;
|
||||
?>
|
||||
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NI8nepXnEpe180qcTGA7ndw76ybURZvHkXTEdgj8+lAPpiVeW3K76DcK2J1YhQSsMBA2olquoJKf7/DEJQE3DA==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-s5eJk4kWlOK8dmXtEGUcWDKj97JAzHtTwFBU8U++rIdLNFBe7D669cec8JzEXWPiQNsHe4PLwshwqTOy/7yfyA==" crossorigin="anonymous"></script>
|
||||
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
||||
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
||||
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
||||
|
||||
Reference in New Issue
Block a user