From cec5cb41d7093a2937098029c7228c781bc26ebe Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 18 Jan 2020 07:20:05 +0100 Subject: [PATCH] Partial revert "Do not double-encode HTML in i18n", only revert the removal of required encoding logic - still has to be moved This reverts commit 01414e43ca22a8b0e7a2689f72552baf688dd310. --- js/privatebin.js | 8 +++++++- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/js/privatebin.js b/js/privatebin.js index 975b2123..0adea3bb 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -614,8 +614,14 @@ jQuery.PrivateBin = (function($, RawDeflate) { args[0] = translations[messageId]; } - // messageID may contain links, but only the first parameter, as that is from a trusted source (code or translation JSON files) + // messageID may contain links, but should be from a trusted source (code or translation JSON files) let containsLinks = args[0].indexOf(' 0) may never contain HTML as they may come from untrusted parties + if (i > 0 || containsNoLinks) { + args[i] = Helper.htmlEntities(args[i]); + } + } // format string let output = Helper.sprintf.apply(this, args); diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index f7c19536..08f28c0c 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -72,7 +72,7 @@ endif; ?> - + diff --git a/tpl/page.php b/tpl/page.php index 55f5f785..99c78d8f 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -50,7 +50,7 @@ endif; ?> - +