From c2a46b7af72bbbd921c9b7906b0186b40ef40920 Mon Sep 17 00:00:00 2001
From: rugk <rugk@posteo.de>
Date: Tue, 22 Jan 2019 00:07:28 +0100
Subject: [PATCH] Make JS function more robust

---
 js/privatebin.js  | 41 ++++++++++++++++++++++++++++++++++++-----
 tpl/bootstrap.php |  2 +-
 tpl/page.php      |  2 +-
 3 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 08aea83b..cf747335 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -743,13 +743,44 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) {
          */
         me.getPasteId = function()
         {
-            if (id === null) {
-                // Attention: This also returns the delete token inside of the ID, if it is specified
-                id = (window.location.search.match(/[a-z0-9]{16}/) || [''])[0];
+            const idRegEx = /^[a-z0-9]{16}$/;
+            const idRegExFind = /[a-z0-9]{16}/;
 
-                if (id === '') {
-                    throw 'no paste id given';
+            // return cached value
+            if (id !== null) {
+                return id;
+            }
+
+            // do use URL interface, if possible
+            if (window.URL && window.URL.prototype && ('searchParams' in window.URL.prototype)) {
+                try {
+                    const url = new URL(window.location);
+
+                    for (const param of url.searchParams) {
+                        const key = param[0];
+                        const value = param[1];
+
+                        if (value === '' && idRegEx.test(key)) {
+                            // safe, as the whole regex is matched
+                            id = key;
+                            return id;
+                        }
+                    }
+                } catch (e) {
+                    // fallback below
+                    console.error('URL interface not properly supported, error:', e);
                 }
+            } else {
+                console.warn('URL interface appears not to be supported in this browser.');
+            }
+
+            // fallback to simple RegEx
+            console.warn('fallback to simple RegEx search');
+            // Attention: This also returns the delete token inside of the ID, if it is specified
+            id = (window.location.search.match(idRegExFind) || [''])[0];
+
+            if (id === '') {
+                throw 'no paste id given';
             }
 
             return id;
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 64bebc4e..fdc1b51b 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -76,7 +76,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-qY0AJdr7OzoJBiuVUO9w1HZv8WXoYpbCocgvHW+gMMic9CDU/pwohPkdqbaTh4SkHpRQ8cNpRO7ezTyBs0KMbA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-tRRKkyV2RYlU1b/PdUmLigAV8mAQpklblVO071AcQs5QbeUwBnK2L5zjbscm2+B2eRJ06luEisXuPowvFHN6fA==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 685a2073..8d87ea68 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -54,7 +54,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-qY0AJdr7OzoJBiuVUO9w1HZv8WXoYpbCocgvHW+gMMic9CDU/pwohPkdqbaTh4SkHpRQ8cNpRO7ezTyBs0KMbA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-tRRKkyV2RYlU1b/PdUmLigAV8mAQpklblVO071AcQs5QbeUwBnK2L5zjbscm2+B2eRJ06luEisXuPowvFHN6fA==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->