diff --git a/CHANGELOG.md b/CHANGELOG.md index c62d0c75..b4ba347b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * CHANGED: Using modal dialog to request password input instead of native JS input window (#69) * CHANGED: Suppressed referrer HTTP header sending when following links in a paste or comment (#96) and added additional HTTP headers for XSS mitigation (#91) * CHANGED: Updated random_compat and jQuery libraries + * FIXED: XSS using JavaScript stored as markdown formatted paste, after clicking on Raw paste button (#137) * FIXED: Automatic purging deleting non-expiring pastes, when using database store (#149) * **1.0 (2016-08-25)** * ADDED: Translations for Slowene and Chinese diff --git a/js/privatebin.js b/js/privatebin.js index 9971fcb7..587a8c96 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -295,6 +295,7 @@ $(function() { /** * Convert all applicable characters to HTML entities. * From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60 + * Also: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content * * @param string str * @return string escaped HTML @@ -1279,7 +1280,7 @@ $(function() { // we use text/html instead of text/plain to avoid a bug when // reloading the raw text view (it reverts to type text/html) var newDoc = document.open('text/html', 'replace'); - newDoc.write('
' + paste + '
'); + newDoc.write('
' + helper.htmlEntities(paste) + '
'); newDoc.close(); }, diff --git a/tpl/bootstrap-compact.php b/tpl/bootstrap-compact.php index 04afad3e..9d737515 100644 --- a/tpl/bootstrap-compact.php +++ b/tpl/bootstrap-compact.php @@ -52,7 +52,7 @@ if ($MARKDOWN): - + diff --git a/tpl/bootstrap-dark-page.php b/tpl/bootstrap-dark-page.php index fc86d65d..50c03ee4 100644 --- a/tpl/bootstrap-dark-page.php +++ b/tpl/bootstrap-dark-page.php @@ -52,7 +52,7 @@ if ($MARKDOWN): - + diff --git a/tpl/bootstrap-dark.php b/tpl/bootstrap-dark.php index 0036e2b1..eb5a6c41 100644 --- a/tpl/bootstrap-dark.php +++ b/tpl/bootstrap-dark.php @@ -53,7 +53,7 @@ if ($MARKDOWN): - + diff --git a/tpl/bootstrap-page.php b/tpl/bootstrap-page.php index 9e38b2cc..3ae0ed20 100644 --- a/tpl/bootstrap-page.php +++ b/tpl/bootstrap-page.php @@ -52,7 +52,7 @@ if ($MARKDOWN): - + diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index dea9d015..f26c4623 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -53,7 +53,7 @@ if ($MARKDOWN): - + diff --git a/tpl/page.php b/tpl/page.php index f98abe50..7e04a893 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -47,7 +47,7 @@ if ($MARKDOWN): - +