applying HTML entity cleanup to raw paste, too, fixing #137
This commit is contained in:
parent
97cbcb0aab
commit
1badd5e542
8 changed files with 9 additions and 7 deletions
|
@ -6,6 +6,7 @@
|
|||
* CHANGED: Using modal dialog to request password input instead of native JS input window (#69)
|
||||
* CHANGED: Suppressed referrer HTTP header sending when following links in a paste or comment (#96) and added additional HTTP headers for XSS mitigation (#91)
|
||||
* CHANGED: Updated random_compat and jQuery libraries
|
||||
* FIXED: XSS using JavaScript stored as markdown formatted paste, after clicking on Raw paste button (#137)
|
||||
* FIXED: Automatic purging deleting non-expiring pastes, when using database store (#149)
|
||||
* **1.0 (2016-08-25)**
|
||||
* ADDED: Translations for Slowene and Chinese
|
||||
|
|
|
@ -295,6 +295,7 @@ $(function() {
|
|||
/**
|
||||
* Convert all applicable characters to HTML entities.
|
||||
* From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60
|
||||
* Also: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
|
||||
*
|
||||
* @param string str
|
||||
* @return string escaped HTML
|
||||
|
@ -1279,7 +1280,7 @@ $(function() {
|
|||
// we use text/html instead of text/plain to avoid a bug when
|
||||
// reloading the raw text view (it reverts to type text/html)
|
||||
var newDoc = document.open('text/html', 'replace');
|
||||
newDoc.write('<pre>' + paste + '</pre>');
|
||||
newDoc.write('<pre>' + helper.htmlEntities(paste) + '</pre>');
|
||||
newDoc.close();
|
||||
},
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ if ($MARKDOWN):
|
|||
<?php
|
||||
endif;
|
||||
?>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||
<!--[if lt IE 10]>
|
||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||
<![endif]-->
|
||||
|
|
|
@ -52,7 +52,7 @@ if ($MARKDOWN):
|
|||
<?php
|
||||
endif;
|
||||
?>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||
<!--[if lt IE 10]>
|
||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||
<![endif]-->
|
||||
|
|
|
@ -53,7 +53,7 @@ if ($MARKDOWN):
|
|||
<?php
|
||||
endif;
|
||||
?>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||
<!--[if lt IE 10]>
|
||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||
<![endif]-->
|
||||
|
|
|
@ -52,7 +52,7 @@ if ($MARKDOWN):
|
|||
<?php
|
||||
endif;
|
||||
?>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||
<!--[if lt IE 10]>
|
||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||
<![endif]-->
|
||||
|
|
|
@ -53,7 +53,7 @@ if ($MARKDOWN):
|
|||
<?php
|
||||
endif;
|
||||
?>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||
<!--[if lt IE 10]>
|
||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||
<![endif]-->
|
||||
|
|
|
@ -47,7 +47,7 @@ if ($MARKDOWN):
|
|||
<?php
|
||||
endif;
|
||||
?>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V/iOsbg0tz5cbcOCtBOgY+uK/X92E8EQLlW6L7OYvzLSYOO1YfPVupEbYEWgOj9KllOLrIsN8Oe+MfBsnFSW2g==" crossorigin="anonymous"></script>
|
||||
<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gOFSXPHzQ7Unsv9bGNt4K7Gum2InVcyrwegr3NRJwDaqxz+2MTza6hVsnf9JOTojlouCA4HtzDSDwb2vGBJjoA==" crossorigin="anonymous"></script>
|
||||
<!--[if lt IE 10]>
|
||||
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
|
||||
<![endif]-->
|
||||
|
|
Loading…
Reference in a new issue