reverting escaping just for Markdown formatting, as discussed in #269

This commit is contained in:
El RIDO 2018-01-03 21:18:33 +01:00
parent a95701bba8
commit 5e070db6a1
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
4 changed files with 9 additions and 8 deletions

View File

@ -1700,8 +1700,11 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
return; return;
} }
// set sanitized and linked text // escape HTML entities, link URLs, sanitize
var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text)); var escapedLinkedText = Helper.urls2links(
$('<div />').text(text).html()
),
sanitizedLinkedText = DOMPurify.sanitize(escapedLinkedText);
$plainText.html(sanitizedLinkedText); $plainText.html(sanitizedLinkedText);
$prettyPrint.html(sanitizedLinkedText); $prettyPrint.html(sanitizedLinkedText);
@ -1728,7 +1731,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
$prettyPrint.html( $prettyPrint.html(
DOMPurify.sanitize( DOMPurify.sanitize(
prettyPrintOne(Helper.urls2links(text), null, true) prettyPrintOne(escapedLinkedText, null, true)
) )
); );
// fall through, as the rest is the same // fall through, as the rest is the same
@ -1824,8 +1827,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
*/ */
me.setText = function(newText) me.setText = function(newText)
{ {
// escape HTML entities
newText = $('<div />').text(newText).html();
if (text !== newText) { if (text !== newText) {
text = newText; text = newText;
isChanged = true; isChanged = true;

View File

@ -48,7 +48,7 @@ describe('PasteViewer', function () {
results.push( results.push(
$('#placeholder').hasClass('hidden') && $('#placeholder').hasClass('hidden') &&
!$.PrivateBin.PasteViewer.isPrettyPrinted() && !$.PrivateBin.PasteViewer.isPrettyPrinted() &&
$.PrivateBin.PasteViewer.getText() == $('<div />').text(text).html() $.PrivateBin.PasteViewer.getText() == text
); );
if (format == 'markdown') { if (format == 'markdown') {
results.push( results.push(

View File

@ -75,7 +75,7 @@ if ($MARKDOWN):
<?php <?php
endif; endif;
?> ?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-1BoGv9oPfrxI6QUHqWeW6bcbK2ix8Tya2dKrHupQk3vI1XgKcSmAJWchzQghRYhG9WFlTBW6jPJBDb9lTj+gSw==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-hZ/15ddyjvqcUrVu7ItQWW+A+281IAX3gegeA0/Ms4ExYS8GB9yJ2ODQv/zWD6gC/eGAVLng6+nPed5mrlTK/w==" crossorigin="anonymous"></script>
<!--[if lt IE 10]> <!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style> <style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]--> <![endif]-->

View File

@ -54,7 +54,7 @@ if ($QRCODE):
<?php <?php
endif; endif;
?> ?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-1BoGv9oPfrxI6QUHqWeW6bcbK2ix8Tya2dKrHupQk3vI1XgKcSmAJWchzQghRYhG9WFlTBW6jPJBDb9lTj+gSw==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-hZ/15ddyjvqcUrVu7ItQWW+A+281IAX3gegeA0/Ms4ExYS8GB9yJ2ODQv/zWD6gC/eGAVLng6+nPed5mrlTK/w==" crossorigin="anonymous"></script>
<!--[if lt IE 10]> <!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style> <style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]--> <![endif]-->