diff --git a/js/privatebin.js b/js/privatebin.js
index 0adea3bb..3ce7fe91 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -189,6 +189,26 @@ jQuery.PrivateBin = (function($, RawDeflate) {
const Helper = (function () {
const me = {};
+ /**
+ * character to HTML entity lookup table
+ *
+ * @see {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60}
+ * @name Helper.entityMap
+ * @private
+ * @enum {Object}
+ * @readonly
+ */
+ var entityMap = {
+ '&': '&',
+ '<': '<',
+ '>': '>',
+ '"': '"',
+ "'": ''',
+ '/': '/',
+ '`': '`',
+ '=': '='
+ };
+
/**
* cache for script location
*
@@ -392,6 +412,22 @@ jQuery.PrivateBin = (function($, RawDeflate) {
return new Comment(data);
};
+ /**
+ * convert all applicable characters to HTML entities
+ *
+ * @see {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content}
+ * @name Helper.htmlEntities
+ * @function
+ * @param {string} str
+ * @return {string} escaped HTML
+ */
+ me.htmlEntities = function(str) {
+ return String(str).replace(
+ /[&<>"'`=\/]/g, function(s) {
+ return entityMap[s];
+ });
+ }
+
/**
* resets state, used for unit testing
*
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 08f28c0c..92becfcf 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ endif;
?>
-
+
diff --git a/tpl/page.php b/tpl/page.php
index 99c78d8f..1a799c59 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ endif;
?>
-
+