applying HTML entity cleanup to raw paste, too, fixing #137

This commit is contained in:
El RIDO 2016-12-25 13:04:06 +01:00
parent 97cbcb0aab
commit 1badd5e542
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
8 changed files with 9 additions and 7 deletions

View file

@ -6,6 +6,7 @@
* CHANGED: Using modal dialog to request password input instead of native JS input window (#69)
* CHANGED: Suppressed referrer HTTP header sending when following links in a paste or comment (#96) and added additional HTTP headers for XSS mitigation (#91)
* CHANGED: Updated random_compat and jQuery libraries
* FIXED: XSS using JavaScript stored as markdown formatted paste, after clicking on Raw paste button (#137)
* FIXED: Automatic purging deleting non-expiring pastes, when using database store (#149)
* **1.0 (2016-08-25)**
* ADDED: Translations for Slowene and Chinese

View file

@ -295,6 +295,7 @@ $(function() {
/**
* Convert all applicable characters to HTML entities.
* From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60
* Also: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
*
* @param string str
* @return string escaped HTML
@ -1279,7 +1280,7 @@ $(function() {
// we use text/html instead of text/plain to avoid a bug when
// reloading the raw text view (it reverts to type text/html)
var newDoc = document.open('text/html', 'replace');
newDoc.write('<pre>' + paste + '</pre>');
newDoc.write('<pre>' + helper.htmlEntities(paste) + '</pre>');
newDoc.close();
},

View file

@ -52,7 +52,7 @@ if ($MARKDOWN):
<?php
endif;
?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->

View file

@ -52,7 +52,7 @@ if ($MARKDOWN):
<?php
endif;
?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->

View file

@ -53,7 +53,7 @@ if ($MARKDOWN):
<?php
endif;
?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->

View file

@ -52,7 +52,7 @@ if ($MARKDOWN):
<?php
endif;
?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->

View file

@ -53,7 +53,7 @@ if ($MARKDOWN):
<?php
endif;
?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->

View file

@ -47,7 +47,7 @@ if ($MARKDOWN):
<?php
endif;
?>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->