From 2d00202b42221a24b66f7019d4b39e4c5663298e Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Wed, 22 Nov 2017 07:03:29 +0100
Subject: [PATCH] correcting the XSS test, commenting two failing patterns, to
 be reviewed by @rugk

---
 js/privatebin.js  | 12 +++++++++++-
 js/test.js        |  9 +++++----
 tpl/bootstrap.php |  2 +-
 tpl/page.php      |  2 +-
 4 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 20396b2..77e458f 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -12,6 +12,7 @@
  */
 
 /** global: Base64 */
+/** global: DOMPurify */
 /** global: FileReader */
 /** global: RawDeflate */
 /** global: history */
@@ -1777,7 +1778,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
                     });
                     // let showdown convert the HTML and sanitize HTML *afterwards*!
                     $plainText.html(
-                        /** global: DOMPurify */
                         DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true})
                     );
                     // add table classes from bootstrap css
@@ -1800,6 +1800,16 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
                     // convert URLs to clickable links
                     Helper.urls2links($plainText);
                     Helper.urls2links($prettyPrint);
+                    $plainText.html(
+                        DOMPurify.sanitize(
+                            $plainText.html(), {SAFE_FOR_JQUERY: true}
+                        )
+                    );
+                    $prettyPrint.html(
+                        DOMPurify.sanitize(
+                            $prettyPrint.html(), {SAFE_FOR_JQUERY: true}
+                        )
+                    );
 
                     $prettyPrint.css('white-space', 'pre-wrap');
                     $prettyPrint.css('word-break', 'normal');
diff --git a/js/test.js b/js/test.js
index 4b68971..2e06c87 100644
--- a/js/test.js
+++ b/js/test.js
@@ -1451,8 +1451,9 @@ describe('PasteViewer', function () {
             // https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
             jsc.elements([
                 '<PLAINTEXT>',
-                '\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";',
-                'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--',
+// @TODO these two pass, but aren't evaluated in this context - do they need to be sanitized, too?
+//                '\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";',
+//                'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--',
                 '></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
                 '\'\';!--"<XSS>=&{()}',
                 '<SCRIPT SRC=http://example.com/xss.js></SCRIPT>',
@@ -1466,7 +1467,7 @@ describe('PasteViewer', function () {
                 '<a onmouseover=alert(document.cookie)>xxs link</a>',
                 '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
                 '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'
-                // the list goes on…
+                // @TODO the list goes on…
             ]),
             'string',
             function (format, prefix, xss, suffix) {
@@ -1482,7 +1483,7 @@ describe('PasteViewer', function () {
                 $.PrivateBin.PasteViewer.setFormat(format);
                 $.PrivateBin.PasteViewer.setText(text);
                 $.PrivateBin.PasteViewer.run();
-                var result = $('body').html().indexOf(xss) !== -1;
+                var result = $('body').html().indexOf(xss) === -1;
                 clean();
                 return result;
             }
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 208ab7d..aee9583 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -70,7 +70,7 @@ if ($MARKDOWN):
 <?php
 endif;
 ?>
-		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-zbiQgBDsSGOdieFoYhNqu7fnj+GpeuQRXQcUSg1U9lP3HlHUY6Lp1w/Hl/LK2y/RGjkoV3MRcjU/BQVGoZxKlw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-VEBWEPLKeJ5Lv0T67Nal1g4NxeoOf2nlE20rF3uOq8fpBb/bKLR9wPxcl8mTjEiA+GAEQv0s4Fh5iT8wee1Nbw==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 2ecbb69..1d7355b 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -48,7 +48,7 @@ if ($MARKDOWN):
 <?php
 endif;
 ?>
-		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-zbiQgBDsSGOdieFoYhNqu7fnj+GpeuQRXQcUSg1U9lP3HlHUY6Lp1w/Hl/LK2y/RGjkoV3MRcjU/BQVGoZxKlw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-VEBWEPLKeJ5Lv0T67Nal1g4NxeoOf2nlE20rF3uOq8fpBb/bKLR9wPxcl8mTjEiA+GAEQv0s4Fh5iT8wee1Nbw==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->