From 14b68af5284b3888bf274d6433cb0b9f6ee37d2e Mon Sep 17 00:00:00 2001
From: Ribas160 <rommisha@gmail.com>
Date: Mon, 10 Nov 2025 17:59:18 +0200
Subject: [PATCH 1/4] Insert drag and drop file names as a text, not html

---
 js/privatebin.js      | 7 +++++--
 lib/Configuration.php | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 9bbc39bc..ffb02d1b 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -3086,10 +3086,13 @@ jQuery.PrivateBin = (function($) {
          * @name AttachmentViewer.printDragAndDropFileNames
          * @private
          * @function
-         * @param {array} fileNames
+         * @param {string[]} fileNames
          */
         function printDragAndDropFileNames(fileNames) {
-            $dragAndDropFileNames.html(fileNames.join('<br>'));
+            $dragAndDropFileNames.empty();
+            fileNames.forEach(fileName => {
+                $('<div>').text(fileName).appendTo($dragAndDropFileNames);
+            });
         }
 
         /**
diff --git a/lib/Configuration.php b/lib/Configuration.php
index 6ad8c546..b1655ba4 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -121,7 +121,7 @@ class Configuration
             'js/kjua-0.10.0.js'      => 'sha512-BYj4xggowR7QD150VLSTRlzH62YPfhpIM+b/1EUEr7RQpdWAGKulxWnOvjFx1FUlba4m6ihpNYuQab51H6XlYg==',
             'js/legacy.js'           => 'sha512-rGXYUpIqbFoHAgBXZ0UlJBdNAIMOC9EQ67MG0X46D5uRB8LvwzgKirbSQRGdYfk8I2jsUcm+tvHXYboUnC6DUg==',
             'js/prettify.js'         => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
-            'js/privatebin.js'       => 'sha512-C9Mc6qgEHhaMKC+VzN7Hp8C77HVm8cD5N/AMlP6qkaYj/QLZ0HdtYfOMWrXNn9i83MbqkRD//DnM7bHHEixzIg==',
+            'js/privatebin.js'       => 'sha512-L2R5jtnyDjqMnUPKNjjoal2LO5fl/OcLtChaj6pQKkmbK97HUt9EcbuSpbnnyjPDhZCtG0CF4wkCQ4xAk8x2Ag==',
             'js/purify-3.3.0.js'     => 'sha512-lsHD5zxs4lu/NDzaaibe27Vd2t7Cy9JQ3qDHUvDfb4oZvKoWDNEhwUY+4bT3R68cGgpgCYp8U1x2ifeVxqurdQ==',
             'js/showdown-2.1.0.js'   => 'sha512-WYXZgkTR0u/Y9SVIA4nTTOih0kXMEd8RRV6MLFdL6YU8ymhR528NLlYQt1nlJQbYz4EW+ZsS0fx1awhiQJme1Q==',
             'js/zlib-1.3.1-1.js'     => 'sha512-5bU9IIP4PgBrOKLZvGWJD4kgfQrkTz8Z3Iqeu058mbQzW3mCumOU6M3UVbVZU9rrVoVwaW4cZK8U8h5xjF88eQ==',

From 9c71fbcc705d8f7d2d326582a555872aefdf720d Mon Sep 17 00:00:00 2001
From: Ribas160 <rommisha@gmail.com>
Date: Tue, 11 Nov 2025 17:45:27 +0200
Subject: [PATCH 2/4] Use pure JavaScript to create a div element

---
 js/privatebin.js      | 4 +++-
 lib/Configuration.php | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index ffb02d1b..4071399d 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -3091,7 +3091,9 @@ jQuery.PrivateBin = (function($) {
         function printDragAndDropFileNames(fileNames) {
             $dragAndDropFileNames.empty();
             fileNames.forEach(fileName => {
-                $('<div>').text(fileName).appendTo($dragAndDropFileNames);
+                const div = document.createElement('div');
+                div.textContent = fileName;
+                $(div).appendTo($dragAndDropFileNames);
             });
         }
 
diff --git a/lib/Configuration.php b/lib/Configuration.php
index b1655ba4..a4909b37 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -121,7 +121,7 @@ class Configuration
             'js/kjua-0.10.0.js'      => 'sha512-BYj4xggowR7QD150VLSTRlzH62YPfhpIM+b/1EUEr7RQpdWAGKulxWnOvjFx1FUlba4m6ihpNYuQab51H6XlYg==',
             'js/legacy.js'           => 'sha512-rGXYUpIqbFoHAgBXZ0UlJBdNAIMOC9EQ67MG0X46D5uRB8LvwzgKirbSQRGdYfk8I2jsUcm+tvHXYboUnC6DUg==',
             'js/prettify.js'         => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
-            'js/privatebin.js'       => 'sha512-L2R5jtnyDjqMnUPKNjjoal2LO5fl/OcLtChaj6pQKkmbK97HUt9EcbuSpbnnyjPDhZCtG0CF4wkCQ4xAk8x2Ag==',
+            'js/privatebin.js'       => 'sha512-9z0y4LGbucj4HvTPYdPewBnijDUsPsDz8zDoQdjn2+pUw6P1OzhLe0EMtySeks4tp2AyuB0mQo1JBgJgKJxAOA==',
             'js/purify-3.3.0.js'     => 'sha512-lsHD5zxs4lu/NDzaaibe27Vd2t7Cy9JQ3qDHUvDfb4oZvKoWDNEhwUY+4bT3R68cGgpgCYp8U1x2ifeVxqurdQ==',
             'js/showdown-2.1.0.js'   => 'sha512-WYXZgkTR0u/Y9SVIA4nTTOih0kXMEd8RRV6MLFdL6YU8ymhR528NLlYQt1nlJQbYz4EW+ZsS0fx1awhiQJme1Q==',
             'js/zlib-1.3.1-1.js'     => 'sha512-5bU9IIP4PgBrOKLZvGWJD4kgfQrkTz8Z3Iqeu058mbQzW3mCumOU6M3UVbVZU9rrVoVwaW4cZK8U8h5xjF88eQ==',

From ff5aee85b47be07881399214c457816288500d7b Mon Sep 17 00:00:00 2001
From: Mikhail Romanov <42250412+Ribas160@users.noreply.github.com>
Date: Tue, 11 Nov 2025 20:05:32 +0200
Subject: [PATCH 3/4] Insert file names as break-separated text nodes

Co-authored-by: El RIDO <elrido@gmx.net>
---
 js/privatebin.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 4071399d..d798f908 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -3091,9 +3091,9 @@ jQuery.PrivateBin = (function($) {
         function printDragAndDropFileNames(fileNames) {
             $dragAndDropFileNames.empty();
             fileNames.forEach(fileName => {
-                const div = document.createElement('div');
-                div.textContent = fileName;
-                $(div).appendTo($dragAndDropFileNames);
+                const name = document.createTextNode(fileName);
+                $dragAndDropFileNames[0].appendChild(name);
+                $dragAndDropFileNames[0].appendChild(document.createElement('br'));
             });
         }
 

From 08b324431426e053e8c5c35e9f660f60e13f0d9a Mon Sep 17 00:00:00 2001
From: Ribas160 <rommisha@gmail.com>
Date: Tue, 11 Nov 2025 20:13:10 +0200
Subject: [PATCH 4/4] privatebin.js SRI and CHANGELOG.md updated

---
 CHANGELOG.md          | 1 +
 lib/Configuration.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c368725..f1707038 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # PrivateBin version history
 
 ## 2.0.3 (not yet released)
+* FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
 
 ## 2.0.2 (2025-10-28)
 * CHANGED: Upgrading libraries to: DOMpurify 3.3.0
diff --git a/lib/Configuration.php b/lib/Configuration.php
index a4909b37..ee72c43b 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -121,7 +121,7 @@ class Configuration
             'js/kjua-0.10.0.js'      => 'sha512-BYj4xggowR7QD150VLSTRlzH62YPfhpIM+b/1EUEr7RQpdWAGKulxWnOvjFx1FUlba4m6ihpNYuQab51H6XlYg==',
             'js/legacy.js'           => 'sha512-rGXYUpIqbFoHAgBXZ0UlJBdNAIMOC9EQ67MG0X46D5uRB8LvwzgKirbSQRGdYfk8I2jsUcm+tvHXYboUnC6DUg==',
             'js/prettify.js'         => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
-            'js/privatebin.js'       => 'sha512-9z0y4LGbucj4HvTPYdPewBnijDUsPsDz8zDoQdjn2+pUw6P1OzhLe0EMtySeks4tp2AyuB0mQo1JBgJgKJxAOA==',
+            'js/privatebin.js'       => 'sha512-D2cmzY2Ol+RvUvN7g6gGCYRE3CIksHOg0B/ejbYgplDA2c3CHG1l81nvChTgXWCP4+uK2N5fMoRKzwUMjEjnSA==',
             'js/purify-3.3.0.js'     => 'sha512-lsHD5zxs4lu/NDzaaibe27Vd2t7Cy9JQ3qDHUvDfb4oZvKoWDNEhwUY+4bT3R68cGgpgCYp8U1x2ifeVxqurdQ==',
             'js/showdown-2.1.0.js'   => 'sha512-WYXZgkTR0u/Y9SVIA4nTTOih0kXMEd8RRV6MLFdL6YU8ymhR528NLlYQt1nlJQbYz4EW+ZsS0fx1awhiQJme1Q==',
             'js/zlib-1.3.1-1.js'     => 'sha512-5bU9IIP4PgBrOKLZvGWJD4kgfQrkTz8Z3Iqeu058mbQzW3mCumOU6M3UVbVZU9rrVoVwaW4cZK8U8h5xjF88eQ==',