From eb549d70d1477411f28f00720a035a81a1ca9f48 Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 15 Jan 2020 17:52:51 +0100 Subject: [PATCH] Invert conatainsLink logic --- js/privatebin.js | 14 +++++--------- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/js/privatebin.js b/js/privatebin.js index 5c0aeccb..7fab6076 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -453,11 +453,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { * @return string escaped HTML */ me.htmlEntities = function(str) { - // using textarea, since other tags may allow and execute scripts, even when detached from DOM - let holder = document.createElement('textarea'); - holder.textContent = str; - // as per OWASP recommendation, also encoding quotes and slash - return holder.innerHTML.replace( + return str.replace( /["'\/]/g, function(s) { return { @@ -629,10 +625,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { // if $element is given, apply text to element if ($element !== null) { - if (!containsLinks) { - // avoid HTML entity encoding if translation contains links - $element.text(output); - } else { + if (containsLinks) { // only allow tags/attributes we actually use in our translations $element.html( DOMPurify.sanitize(output, { @@ -640,6 +633,9 @@ jQuery.PrivateBin = (function($, RawDeflate) { ALLOWED_ATTR: ['href', 'id'] }) ); + } else { + // avoid HTML entity encoding if translation contains no links + $element.text(output); } } diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 0e949da6..03636d98 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -72,7 +72,7 @@ endif; ?> - + diff --git a/tpl/page.php b/tpl/page.php index ff2d5f50..760d991c 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -50,7 +50,7 @@ endif; ?> - +