ensuring text is sanitized in all cases, before being injected into the DOM

js/privatebin.js

@@ -1766,8 +1766,9 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
             }
 
             // set text
-            Helper.setElementText($plainText, text);
-            Helper.setElementText($prettyPrint, text);
+            var sanitizedText = DOMPurify.sanitize(text, {SAFE_FOR_JQUERY: true})
+            Helper.setElementText($plainText, sanitizedText);
+            Helper.setElementText($prettyPrint, sanitizedText);
 
             switch (format) {
                 case 'markdown':
@@ -1792,7 +1793,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
 
                     $prettyPrint.html(
                         prettyPrintOne(
-                            Helper.htmlEntities(text), null, true
+                            Helper.htmlEntities(sanitizedText), null, true
                         )
                     );
                     // fall through, as the rest is the same
@@ -1800,16 +1801,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
                     // convert URLs to clickable links
                     Helper.urls2links($plainText);
                     Helper.urls2links($prettyPrint);
-                    $plainText.html(
-                        DOMPurify.sanitize(
-                            $plainText.html(), {SAFE_FOR_JQUERY: true}
-                        )
-                    );
-                    $prettyPrint.html(
-                        DOMPurify.sanitize(
-                            $prettyPrint.html(), {SAFE_FOR_JQUERY: true}
-                        )
-                    );
 
                     $prettyPrint.css('white-space', 'pre-wrap');
                     $prettyPrint.css('word-break', 'normal');

tpl/bootstrap.php

@@ -70,7 +70,7 @@ if ($MARKDOWN):
 <?php
 endif;
 ?>
-		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-VEBWEPLKeJ5Lv0T67Nal1g4NxeoOf2nlE20rF3uOq8fpBb/bKLR9wPxcl8mTjEiA+GAEQv0s4Fh5iT8wee1Nbw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-asPypLWIpl03jZzFSOTfUuLsZ+DHVBrcGU0f9LeJrN/T33Al9q2+qt7V8nm6Ji88rUvYvnTp2/KgNgOSRJcQPw==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->

tpl/page.php

@@ -48,7 +48,7 @@ if ($MARKDOWN):
 <?php
 endif;
 ?>
-		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-VEBWEPLKeJ5Lv0T67Nal1g4NxeoOf2nlE20rF3uOq8fpBb/bKLR9wPxcl8mTjEiA+GAEQv0s4Fh5iT8wee1Nbw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-asPypLWIpl03jZzFSOTfUuLsZ+DHVBrcGU0f9LeJrN/T33Al9q2+qt7V8nm6Ji88rUvYvnTp2/KgNgOSRJcQPw==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->