arno
/
privatebin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Revert "Try to move sanitisation & links into setElementText"

Browse Source 
This reverts commit 8d2e19f791.
pull/258/head
rugk 7 years ago
parent 8d2e19f791
commit 56f4ee5c20
No known key found for this signature in database
GPG Key ID: 05D40A636AFAB34D
2 changed files with 96 additions and 83 deletions
Show Stats Download Patch File Download Diff File

139
js/privatebin.js
Unescape View File

@ -44,43 +44,33 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
var me = {}; var me = {};
/** /**
* cache for script location * character to HTML entity lookup table
* *
* @name Helper.baseUri * @see {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60}
* @name Helper.entityMap
* @private * @private
* @enum {string|null} * @enum {Object}
* @readonly
*/ */
var baseUri = null; var entityMap = {
'&': '&',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#39;',
'/': '&#x2F;',
'`': '&#x60;',
'=': '&#x3D;'
};
/** /**
* convert URLs to clickable links. * cache for script location
* URLs to handle:
* <pre>
* magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7
* http://example.com:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
* http://user:example.com@localhost:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
* </pre>
* Attention: Does *not* sanitize HTML code! It is strongly advised to sanitize it after running this function.
*
* *
* @name Helper.urls2links * @name Helper.baseUri
* @function * @private
* @param {String} html - HTML code * @enum {string|null}
*/ */
urls2links = function(html) var baseUri = null;
{
var markup = '<a href="$1" rel="nofollow">$1</a>';
// short test: https://regex101.com/r/AttfVd/1
html.replace(
/((http|https|ftp):\/\/[\w?=&.\/-;#@~%+*-]+(?![\w\s?&.\/;#~%"=-]*>))/ig,
markup
)
// shorttest: https://regex101.com/r/sCm8Xe/2
html.replace(
/((magnet):[\w?=&.\/-;#@~%+*-]+)/ig,
markup
);
}
/** /**
* converts a duration (in seconds) into human friendly approximation * converts a duration (in seconds) into human friendly approximation
@ -145,38 +135,55 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
} }
/** /**
* set text of a jQuery element (required for IE) * set text of a jQuery element (required for IE),
* *
* @name Helper.setElementText * @name Helper.setElementText
* @function * @function
* @param {jQuery} $element - a jQuery element * @param {jQuery} $element - a jQuery element
* @param {string} text - the text to enter * @param {string} text - the text to enter
* @param {bool} convertLinks - whether to convert the links in the text
*/ */
me.setElementText = function($element, text, convertLinks) me.setElementText = function($element, text)
{ {
var isIe = $('#oldienotice').is(':visible'); // For IE<10: Doesn't support white-space:pre-wrap; so we have to do this...
// text-only and no IE -> fast way: set text-only if ($('#oldienotice').is(':visible')) {
if ((convertLinks === false) && isIe === false) { var html = me.htmlEntities(text).replace(/\n/ig, '\r\n<br>');
return $element.text(text); $element.html('<pre>' + html + '</pre>');
} }
// for other (sane) browsers:
// convert text to plain-text else
// but as we need to handle HTML code afterwards {
var html = $(text).text(); $element.text(text);
if (convertLinks === true) {
html = me.urls2links(html);
}
// workaround: IE<10 doesn't support white-space:pre-wrap; so we have to do this...
if (isIe) {
html = html.replace(/\n/ig, '\r\n<br>');
} }
}
// finally sanitize it for security (XSS) reasons /**
html = me.sanitizeHtml(text); * convert URLs to clickable links.
$element.html(html); * URLs to handle:
* <pre>
* magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7
* http://example.com:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
* http://user:example.com@localhost:8800/zero/?6f09182b8ea51997#WtLEUO5Epj9UHAV9JFs+6pUQZp13TuspAUjnF+iM+dM=
* </pre>
*
* @name Helper.urls2links
* @function
* @param {Object} $element - a jQuery DOM element
*/
me.urls2links = function($element)
{
var markup = '<a href="$1" rel="nofollow">$1</a>';
$element.html(
$element.html().replace(
/((http|https|ftp):\/\/[\w?=&.\/-;#@~%+*-]+(?![\w\s?&.\/;#~%"=-]*>))/ig,
markup
)
);
$element.html(
$element.html().replace(
/((magnet):[\w?=&.\/-;#@~%+*-]+)/ig,
markup
)
);
} }
/** /**
@ -263,17 +270,19 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
} }
/** /**
* sanitizes html code to prevent XSS attacks * convert all applicable characters to HTML entities
* *
* Now uses DOMPurify instead of some self-made stuff for security reasons. * @see {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content}
* * @name Helper.htmlEntities
* @name Helper.sanitizeHtml
* @function * @function
* @param {string} str * @param {string} str
* @return {string} escaped HTML * @return {string} escaped HTML
*/ */
me.sanitizeHtml = function(str) { me.htmlEntities = function(str) {
return DOMPurify.sanitize(str, {SAFE_FOR_JQUERY: true}); return String(str).replace(
/[&<>"'`=\/]/g, function(s) {
return entityMap[s];
});
} }
/** /**
@ -1757,8 +1766,9 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
} }
// set text // set text
Helper.setElementText($plainText, text, false); var sanitizedText = DOMPurify.sanitize(text, {SAFE_FOR_JQUERY: true})
Helper.setElementText($prettyPrint, text, true); Helper.setElementText($plainText, sanitizedText);
Helper.setElementText($prettyPrint, sanitizedText);
switch (format) { switch (format) {
case 'markdown': case 'markdown':
@ -1783,12 +1793,15 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
$prettyPrint.html( $prettyPrint.html(
prettyPrintOne( prettyPrintOne(
Helper.sanitizeHtml(text), null, true Helper.htmlEntities(sanitizedText), null, true
) )
); );
// fall through, as the rest is the same // fall through, as the rest is the same
default: // = 'plaintext' default: // = 'plaintext'
// adjust CSS so it looks good // convert URLs to clickable links
Helper.urls2links($plainText);
Helper.urls2links($prettyPrint);
$prettyPrint.css('white-space', 'pre-wrap'); $prettyPrint.css('white-space', 'pre-wrap');
$prettyPrint.css('word-break', 'normal'); $prettyPrint.css('word-break', 'normal');
$prettyPrint.removeClass('prettyprint'); $prettyPrint.removeClass('prettyprint');
@ -2581,7 +2594,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
for (var i = 0; i < $head.length; i++) { for (var i = 0; i < $head.length; i++) {
newDoc.write($head[i].outerHTML); newDoc.write($head[i].outerHTML);
} }
newDoc.write('</head><body><pre>' + Helper.sanitizeHtml(paste) + '</pre></body></html>'); newDoc.write('</head><body><pre>' + Helper.htmlEntities(paste) + '</pre></body></html>');
newDoc.close(); newDoc.close();
} }

40
js/test.js
Unescape View File

@ -93,7 +93,7 @@ describe('Helper', function () {
var html = '', var html = '',
result = true; result = true;
ids.forEach(function(item, i) { ids.forEach(function(item, i) {
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.sanitizeHtml(contents[i] || contents[0]) + '</div>'; html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.htmlEntities(contents[i] || contents[0]) + '</div>';
}); });
var clean = jsdom(html); var clean = jsdom(html);
ids.forEach(function(item, i) { ids.forEach(function(item, i) {
@ -122,7 +122,7 @@ describe('Helper', function () {
var html = '', var html = '',
result = true; result = true;
ids.forEach(function(item, i) { ids.forEach(function(item, i) {
html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.sanitizeHtml(contents[i] || contents[0]) + '</div>'; html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.htmlEntities(contents[i] || contents[0]) + '</div>';
}); });
var elements = $('<body />').html(html); var elements = $('<body />').html(html);
ids.forEach(function(item, i) { ids.forEach(function(item, i) {
@ -163,9 +163,9 @@ describe('Helper', function () {
var query = query.join(''), var query = query.join(''),
fragment = fragment.join(''), fragment = fragment.join(''),
url = schema + '://' + address.join('') + '/?' + query + '#' + fragment, url = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
prefix = $.PrivateBin.Helper.sanitizeHtml(prefix), prefix = $.PrivateBin.Helper.htmlEntities(prefix),
postfix = ' ' + $.PrivateBin.Helper.sanitizeHtml(postfix), postfix = ' ' + $.PrivateBin.Helper.htmlEntities(postfix),
element = '<div>' + prefix + url + postfix + '</div>'; element = $('<div>' + prefix + url + postfix + '</div>');
// special cases: When the query string and fragment imply the beginning of an HTML entity, eg. &#0 or &#x // special cases: When the query string and fragment imply the beginning of an HTML entity, eg. &#0 or &#x
if ( if (
@ -175,11 +175,11 @@ describe('Helper', function () {
{ {
url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1); url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1);
postfix = ''; postfix = '';
element = '<div>' + prefix + url + '</div>'; element = $('<div>' + prefix + url + '</div>');
} }
$.PrivateBin.Helper.urls2links(element); $.PrivateBin.Helper.urls2links(element);
return element.html() === '<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + postfix + '</div>'; return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a>' + postfix + '</div>').html();
} }
); );
jsc.property( jsc.property(
@ -189,8 +189,8 @@ describe('Helper', function () {
'string', 'string',
function (prefix, query, postfix) { function (prefix, query, postfix) {
var url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''), var url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
prefix = $.PrivateBin.Helper.sanitizeHtml(prefix), prefix = $.PrivateBin.Helper.htmlEntities(prefix),
postfix = $.PrivateBin.Helper.sanitizeHtml(postfix), postfix = $.PrivateBin.Helper.htmlEntities(postfix),
element = $('<div>' + prefix + url + ' ' + postfix + '</div>'); element = $('<div>' + prefix + url + ' ' + postfix + '</div>');
$.PrivateBin.Helper.urls2links(element); $.PrivateBin.Helper.urls2links(element);
return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix + '</div>').html(); return element.html() === $('<div>' + prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix + '</div>').html();
@ -329,7 +329,7 @@ describe('Helper', function () {
); );
}); });
describe('sanitizeHtml', function () { describe('htmlEntities', function () {
after(function () { after(function () {
cleanup(); cleanup();
}); });
@ -338,7 +338,7 @@ describe('Helper', function () {
'removes all HTML entities from any given string', 'removes all HTML entities from any given string',
'string', 'string',
function (string) { function (string) {
var result = $.PrivateBin.Helper.sanitizeHtml(string); var result = $.PrivateBin.Helper.htmlEntities(string);
return !(/[<>"'`=\/]/.test(result)) && !(string.indexOf('&') > -1 && !(/&amp;/.test(result))); return !(/[<>"'`=\/]/.test(result)) && !(string.indexOf('&') > -1 && !(/&amp;/.test(result)));
} }
); );
@ -583,8 +583,8 @@ describe('Model', function () {
'string', 'string',
'small nat', 'small nat',
function (keys, value, key) { function (keys, value, key) {
keys = keys.map($.PrivateBin.Helper.sanitizeHtml); keys = keys.map($.PrivateBin.Helper.htmlEntities);
value = $.PrivateBin.Helper.sanitizeHtml(value); value = $.PrivateBin.Helper.htmlEntities(value);
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'), var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
contents = '<select id="pasteExpiration" name="pasteExpiration">'; contents = '<select id="pasteExpiration" name="pasteExpiration">';
keys.forEach(function(item) { keys.forEach(function(item) {
@ -596,7 +596,7 @@ describe('Model', function () {
}); });
contents += '</select>'; contents += '</select>';
$('body').html(contents); $('body').html(contents);
var result = $.PrivateBin.Helper.sanitizeHtml( var result = $.PrivateBin.Helper.htmlEntities(
$.PrivateBin.Model.getExpirationDefault() $.PrivateBin.Model.getExpirationDefault()
); );
$.PrivateBin.Model.reset(); $.PrivateBin.Model.reset();
@ -617,8 +617,8 @@ describe('Model', function () {
'string', 'string',
'small nat', 'small nat',
function (keys, value, key) { function (keys, value, key) {
keys = keys.map($.PrivateBin.Helper.sanitizeHtml); keys = keys.map($.PrivateBin.Helper.htmlEntities);
value = $.PrivateBin.Helper.sanitizeHtml(value); value = $.PrivateBin.Helper.htmlEntities(value);
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'), var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
contents = '<select id="pasteFormatter" name="pasteFormatter">'; contents = '<select id="pasteFormatter" name="pasteFormatter">';
keys.forEach(function(item) { keys.forEach(function(item) {
@ -630,7 +630,7 @@ describe('Model', function () {
}); });
contents += '</select>'; contents += '</select>';
$('body').html(contents); $('body').html(contents);
var result = $.PrivateBin.Helper.sanitizeHtml( var result = $.PrivateBin.Helper.htmlEntities(
$.PrivateBin.Model.getFormatDefault() $.PrivateBin.Model.getFormatDefault()
); );
$.PrivateBin.Model.reset(); $.PrivateBin.Model.reset();
@ -649,7 +649,7 @@ describe('Model', function () {
'checks if the element with id "cipherdata" contains any data', 'checks if the element with id "cipherdata" contains any data',
'asciistring', 'asciistring',
function (value) { function (value) {
value = $.PrivateBin.Helper.sanitizeHtml(value).trim(); value = $.PrivateBin.Helper.htmlEntities(value).trim();
$('body').html('<div id="cipherdata">' + value + '</div>'); $('body').html('<div id="cipherdata">' + value + '</div>');
$.PrivateBin.Model.init(); $.PrivateBin.Model.init();
var result = $.PrivateBin.Model.hasCipherData(); var result = $.PrivateBin.Model.hasCipherData();
@ -669,10 +669,10 @@ describe('Model', function () {
'returns the contents of the element with id "cipherdata"', 'returns the contents of the element with id "cipherdata"',
'asciistring', 'asciistring',
function (value) { function (value) {
value = $.PrivateBin.Helper.sanitizeHtml(value).trim(); value = $.PrivateBin.Helper.htmlEntities(value).trim();
$('body').html('<div id="cipherdata">' + value + '</div>'); $('body').html('<div id="cipherdata">' + value + '</div>');
$.PrivateBin.Model.init(); $.PrivateBin.Model.init();
var result = $.PrivateBin.Helper.sanitizeHtml( var result = $.PrivateBin.Helper.htmlEntities(
$.PrivateBin.Model.getCipherData() $.PrivateBin.Model.getCipherData()
); );
$.PrivateBin.Model.reset(); $.PrivateBin.Model.reset();

Write Preview
Loading…
Cancel
Save