Merge branch 'master' into qrcode

This commit is contained in:
El RIDO 2018-01-02 07:56:16 +01:00
commit 094a0c80db
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
8 changed files with 26 additions and 24 deletions

View file

@ -9,10 +9,10 @@ php:
# as this is a php project, node.js v4 (for JS unit testing) isn't installed # as this is a php project, node.js v4 (for JS unit testing) isn't installed
install: install:
- rm -rf ~/.nvm && git clone https://github.com/creationix/nvm.git ~/.nvm && (cd ~/.nvm && git checkout `git describe --abbrev=0 --tags`) && source ~/.nvm/nvm.sh && nvm install 4 - if [ ! -d "$HOME/.nvm" ]; then mkdir -p $HOME/.nvm && curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | NVM_METHOD=script bash; fi
- source ~/.nvm/nvm.sh && nvm install 4
before_script: before_script:
- composer config -g github-oauth.github.com "$GITHUB_TOKEN"
- composer install -n - composer install -n
- npm install -g mocha - npm install -g mocha
- cd js - cd js
@ -27,3 +27,11 @@ after_script:
- cd .. - cd ..
- vendor/bin/codacycoverage clover tst/log/coverage-clover.xml - vendor/bin/codacycoverage clover tst/log/coverage-clover.xml
- vendor/bin/test-reporter --coverage-report tst/log/coverage-clover.xml - vendor/bin/test-reporter --coverage-report tst/log/coverage-clover.xml
cache:
directories:
- $HOME/.composer/cache/files
- $HOME/.composer/cache/vcs
- $HOME/.nvm
- $HOME/.npm
- js/node_modules

View file

@ -11,12 +11,6 @@
"source": "https://github.com/PrivateBin/PrivateBin", "source": "https://github.com/PrivateBin/PrivateBin",
"docs": "https://zerobin.dssr.ch/documentation/" "docs": "https://zerobin.dssr.ch/documentation/"
}, },
"repositories": [
{
"type": "vcs",
"url": "https://github.com/PrivateBin/PrivateBin"
}
],
"require": { "require": {
"php": "^5.4.0 || ^7.0", "php": "^5.4.0 || ^7.0",
"paragonie/random_compat": "2.0.4", "paragonie/random_compat": "2.0.4",

View file

@ -1701,7 +1701,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
} }
// set sanitized and linked text // set sanitized and linked text
var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text), {SAFE_FOR_JQUERY: true}); var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text));
$plainText.html(sanitizedLinkedText); $plainText.html(sanitizedLinkedText);
$prettyPrint.html(sanitizedLinkedText); $prettyPrint.html(sanitizedLinkedText);
@ -1714,7 +1714,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
}); });
// let showdown convert the HTML and sanitize HTML *afterwards*! // let showdown convert the HTML and sanitize HTML *afterwards*!
$plainText.html( $plainText.html(
DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true}) DOMPurify.sanitize(converter.makeHtml(text))
); );
// add table classes from bootstrap css // add table classes from bootstrap css
$plainText.find('table').addClass('table-condensed table-bordered'); $plainText.find('table').addClass('table-condensed table-bordered');
@ -1728,8 +1728,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
$prettyPrint.html( $prettyPrint.html(
DOMPurify.sanitize( DOMPurify.sanitize(
prettyPrintOne(Helper.urls2links(text), null, true), prettyPrintOne(Helper.urls2links(text), null, true)
{SAFE_FOR_JQUERY: true}
) )
); );
// fall through, as the rest is the same // fall through, as the rest is the same
@ -1825,6 +1824,8 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
*/ */
me.setText = function(newText) me.setText = function(newText)
{ {
// escape HTML entities
newText = $('<div />').text(newText).html();
if (text !== newText) { if (text !== newText) {
text = newText; text = newText;
isChanged = true; isChanged = true;
@ -2224,8 +2225,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
// set & parse text // set & parse text
$commentEntryData.html( $commentEntryData.html(
DOMPurify.sanitize( DOMPurify.sanitize(
Helper.urls2links(commentText), Helper.urls2links(commentText)
{SAFE_FOR_JQUERY: true}
) )
); );
@ -2531,7 +2531,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
for (var i = 0; i < $head.length; i++) { for (var i = 0; i < $head.length; i++) {
newDoc.write($head[i].outerHTML); newDoc.write($head[i].outerHTML);
} }
newDoc.write('</head><body><pre>' + DOMPurify.sanitize(paste, {SAFE_FOR_JQUERY: true}) + '</pre></body></html>'); newDoc.write('</head><body><pre>' + DOMPurify.sanitize(paste) + '</pre></body></html>');
newDoc.close(); newDoc.close();
} }
@ -3961,10 +3961,11 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
// first load translations // first load translations
I18n.loadTranslations(); I18n.loadTranslations();
DOMPurify.setConfig({SAFE_FOR_JQUERY: true});
// initialize other modules/"classes" // initialize other modules/"classes"
Alert.init(); Alert.init();
Model.init(); Model.init();
AttachmentViewer.init(); AttachmentViewer.init();
DiscussionViewer.init(); DiscussionViewer.init();
Editor.init(); Editor.init();

1
js/purify-1.0.3.js Normal file

File diff suppressed because one or more lines are too long

2
js/purify.min.js vendored

File diff suppressed because one or more lines are too long

View file

@ -42,7 +42,7 @@ require('./prettify');
global.prettyPrint = window.PR.prettyPrint; global.prettyPrint = window.PR.prettyPrint;
global.prettyPrintOne = window.PR.prettyPrintOne; global.prettyPrintOne = window.PR.prettyPrintOne;
global.showdown = require('./showdown-1.6.1'); global.showdown = require('./showdown-1.6.1');
global.DOMPurify = require('./purify.min'); global.DOMPurify = require('./purify-1.0.3');
require('./bootstrap-3.3.7'); require('./bootstrap-3.3.7');
require('./privatebin'); require('./privatebin');
@ -1422,7 +1422,7 @@ describe('PasteViewer', function () {
results.push( results.push(
$('#placeholder').hasClass('hidden') && $('#placeholder').hasClass('hidden') &&
!$.PrivateBin.PasteViewer.isPrettyPrinted() && !$.PrivateBin.PasteViewer.isPrettyPrinted() &&
$.PrivateBin.PasteViewer.getText() == text $.PrivateBin.PasteViewer.getText() == $('<div />').text(text).html()
); );
if (format == 'markdown') { if (format == 'markdown') {
results.push( results.push(

View file

@ -71,11 +71,11 @@ endif;
if ($MARKDOWN): if ($MARKDOWN):
?> ?>
<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/purify.min.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-jJuy143F5Oy7oS3VkjzeJGBxIUuQ1H0eSjuvLGD3FiQzeu8Pwp5vI/jQ2dxlxSrzejmNMicdLHnIqH7R8Ft0lQ==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/purify-1.0.3.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-uhzhZJSgc+XJoaxCOjiuRzQaf5klPlSSVKGw69+zT72hhfLbVwB4jbwI+f7NRucuRz6u0aFGMeZ+0PnGh73iBQ==" crossorigin="anonymous"></script>
<?php <?php
endif; endif;
?> ?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PMr+homyzdcY7Cmh5XZCbU9Qmg3RjwGdpRk1jBuLyVJRMGPeKscsbklIceXssSVMdv4Y9+d2UNXykuDL7Z4fDg==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-ongf6gpLgDPRVlBPaFlvxyDu3rCb1APhvzJLUFj9JuXCi6Zd0vqxt//vR8Zz3Ez9Fq+mw14HU8z52H7EjZewfA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]> <!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style> <style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]--> <![endif]-->

View file

@ -45,7 +45,7 @@ endif;
if ($MARKDOWN): if ($MARKDOWN):
?> ?>
<script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/showdown-1.6.1.js" integrity="sha512-e6kAsBTgFnTBnEQXrq8BV6+XFwxb3kyWHeEPOl+KhxaWt3xImE2zAW2+yP3E2CQ7F9yoJl1poVU9qxkOEtVsTQ==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/purify.min.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-jJuy143F5Oy7oS3VkjzeJGBxIUuQ1H0eSjuvLGD3FiQzeu8Pwp5vI/jQ2dxlxSrzejmNMicdLHnIqH7R8Ft0lQ==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/purify-1.0.3.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-uhzhZJSgc+XJoaxCOjiuRzQaf5klPlSSVKGw69+zT72hhfLbVwB4jbwI+f7NRucuRz6u0aFGMeZ+0PnGh73iBQ==" crossorigin="anonymous"></script>
<?php <?php
endif; endif;
if ($QRCODE): if ($QRCODE):
@ -54,7 +54,7 @@ if ($QRCODE):
<?php <?php
endif; endif;
?> ?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PMr+homyzdcY7Cmh5XZCbU9Qmg3RjwGdpRk1jBuLyVJRMGPeKscsbklIceXssSVMdv4Y9+d2UNXykuDL7Z4fDg==" crossorigin="anonymous"></script> <script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-ongf6gpLgDPRVlBPaFlvxyDu3rCb1APhvzJLUFj9JuXCi6Zd0vqxt//vR8Zz3Ez9Fq+mw14HU8z52H7EjZewfA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]> <!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style> <style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]--> <![endif]-->