yetangitu/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-10-03 09:49:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

applying HTML entity cleanup to raw paste, too, fixing #137

Browse source
This commit is contained in:
El RIDO 2016-12-25 13:04:06 +01:00
parent 97cbcb0aab
commit 1badd5e542
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
8 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

3
js/privatebin.js
View file

@ -295,6 +295,7 @@ $(function() {
/**
* Convert all applicable characters to HTML entities.
* From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60
* Also: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
*
* @param string str
* @return string escaped HTML
@ -1279,7 +1280,7 @@ $(function() {
// we use text/html instead of text/plain to avoid a bug when
// reloading the raw text view (it reverts to type text/html)
var newDoc = document.open('text/html', 'replace');
newDoc.write('<pre>' + paste + '</pre>');
newDoc.write('<pre>' + helper.htmlEntities(paste) + '</pre>');
newDoc.close();
},