From 0d08edbe559e677bc5d47c7a67106ac1bc4564a3 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 18 Jan 2020 07:30:01 +0100 Subject: [PATCH] Revert "getting rid of htmlEntities (except for tests)" a0740ff79f9076ec7fa4d80bdfb32337a7136482 --- js/privatebin.js | 36 ++++++++++++++++++++++++++++++++++++ tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/js/privatebin.js b/js/privatebin.js index 0adea3bb..3ce7fe91 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -189,6 +189,26 @@ jQuery.PrivateBin = (function($, RawDeflate) { const Helper = (function () { const me = {}; + /** + * character to HTML entity lookup table + * + * @see {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60} + * @name Helper.entityMap + * @private + * @enum {Object} + * @readonly + */ + var entityMap = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', + '`': '`', + '=': '=' + }; + /** * cache for script location * @@ -392,6 +412,22 @@ jQuery.PrivateBin = (function($, RawDeflate) { return new Comment(data); }; + /** + * convert all applicable characters to HTML entities + * + * @see {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content} + * @name Helper.htmlEntities + * @function + * @param {string} str + * @return {string} escaped HTML + */ + me.htmlEntities = function(str) { + return String(str).replace( + /[&<>"'`=\/]/g, function(s) { + return entityMap[s]; + }); + } + /** * resets state, used for unit testing * diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 08f28c0c..92becfcf 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -72,7 +72,7 @@ endif; ?> - + diff --git a/tpl/page.php b/tpl/page.php index 99c78d8f..1a799c59 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -50,7 +50,7 @@ endif; ?> - +