add HTML entity encoding to PHP translation logic, remove exception to allow <br/> tags in DOMpurify by eliminating the single case that made use of it

2020-02-01 08:46:59 +01:00
parent 428ea2f34e
commit cc0920fc09
21 changed files with 47 additions and 38 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -645,7 +645,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                // only allow tags/attributes we actually use in translations
                output = DOMPurify.sanitize(
                    output, {
-                        ALLOWED_TAGS: ['a', 'br', 'i', 'span'],
+                        ALLOWED_TAGS: ['a', 'i', 'span'],
                        ALLOWED_ATTR: ['href', 'id']
                    }
                );