Sanitize HTML code

using DOMPurify v1.0.2 Fixes https://github.com/PrivateBin/PrivateBin/issues/183
2017-11-21 21:22:51 +01:00
parent bccb349226
commit b6d7d56774
4 changed files with 8 additions and 3 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1761,8 +1761,9 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
                        tables: true,
                        tablesHeaderId: true
                    });
+                    // let showdown convert the HTML and sanitize HTML *afterwards*!
                    $plainText.html(
-                        converter.makeHtml(text)
+                        DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true})
                    );
                    // add table classes from bootstrap css
                    $plainText.find('table').addClass('table-condensed table-bordered');
--- a/js/purify.min.js
+++ b/js/purify.min.js