diff --git a/js/privatebin.js b/js/privatebin.js
index 5c0aeccb..7fab6076 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -453,11 +453,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
* @return string escaped HTML
*/
me.htmlEntities = function(str) {
- // using textarea, since other tags may allow and execute scripts, even when detached from DOM
- let holder = document.createElement('textarea');
- holder.textContent = str;
- // as per OWASP recommendation, also encoding quotes and slash
- return holder.innerHTML.replace(
+ return str.replace(
/["'\/]/g,
function(s) {
return {
@@ -629,10 +625,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
// if $element is given, apply text to element
if ($element !== null) {
- if (!containsLinks) {
- // avoid HTML entity encoding if translation contains links
- $element.text(output);
- } else {
+ if (containsLinks) {
// only allow tags/attributes we actually use in our translations
$element.html(
DOMPurify.sanitize(output, {
@@ -640,6 +633,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
ALLOWED_ATTR: ['href', 'id']
})
);
+ } else {
+ // avoid HTML entity encoding if translation contains no links
+ $element.text(output);
}
}
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 0e949da6..03636d98 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ endif;
?>
-
+
diff --git a/tpl/page.php b/tpl/page.php
index ff2d5f50..760d991c 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ endif;
?>
-
+