Merge ce06857d2c into a844c19386

2026-01-23 02:35:23 +00:00 · 2025-12-02 13:18:37 +08:00 · 2025-12-02 13:18:37 +08:00 · dfe07a80d6
commit dfe07a80d6
parent a844c19386 ce06857d2c
2 changed files with 15 additions and 12 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@ -812,12 +812,11 @@ jQuery.PrivateBin = (function($) {

            if (containsHtml) {
                // only allow tags/attributes we actually use in translations
-                output = DOMPurify.sanitize(
-                    output, {
+                const sanitizeConfig = Object.assign({}, purifyHtmlConfig, {
                        ALLOWED_TAGS: ['a', 'i', 'span', 'kbd'],
                        ALLOWED_ATTR: ['href', 'id']
-                    }
-                );
+                });
+                output = DOMPurify.sanitize(output, sanitizeConfig);
            }

            // if $element is given, insert translation
@ -963,13 +962,17 @@ jQuery.PrivateBin = (function($) {
         * @returns {boolean}
         */
        function isStringContainsHtml(messageId) {
-            // An integer which specifies the type of the node. An Element node like <p> or <div>.
-            const elementNodeType = 1;
-
-            const div = document.createElement('div');
-            div.innerHTML = messageId;
-
-            return Array.from(div.childNodes).some(node => node.nodeType === elementNodeType);
+            // Use DOMParser to parse the string as HTML. DOMParser does not
+            // execute scripts nor load external resources when parsing, making
+            // it safer against XSS.
+            try {
+                const doc = new DOMParser().parseFromString(String(messageId), 'text/html');
+                return Array.from(doc.body.childNodes).some(node => node.nodeType === Node.ELEMENT_NODE);
+            } catch (e) {
+                // If parsing fails for any reason, consider it not HTML to avoid
+                // treating arbitrary strings as markup.
+                return false;
+            }
        }

        return me;
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@ -122,7 +122,7 @@ class Configuration
            'js/kjua-0.10.0.js'      => 'sha512-BYj4xggowR7QD150VLSTRlzH62YPfhpIM+b/1EUEr7RQpdWAGKulxWnOvjFx1FUlba4m6ihpNYuQab51H6XlYg==',
            'js/legacy.js'           => 'sha512-rGXYUpIqbFoHAgBXZ0UlJBdNAIMOC9EQ67MG0X46D5uRB8LvwzgKirbSQRGdYfk8I2jsUcm+tvHXYboUnC6DUg==',
            'js/prettify.js'         => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
-            'js/privatebin.js'       => 'sha512-ZwoUDxBdEE+zNoGqr9o7X7CJYS4JStEeNvcOnhz69YVbXjiibNoYSY7i3vc6MLI3M/K1K6sIUmSFm8sjoUdF5Q==',
+            'js/privatebin.js'       => 'sha512-lR/UzD67Pbg9nHDxDHxXktRKbXTQ96bDucbzbc0ELOLGzJHBqv1Qih+Aw+blBlAxXAdjuJDf9ch+R4m+i5bsQg==',
            'js/purify-3.3.0.js'     => 'sha512-lsHD5zxs4lu/NDzaaibe27Vd2t7Cy9JQ3qDHUvDfb4oZvKoWDNEhwUY+4bT3R68cGgpgCYp8U1x2ifeVxqurdQ==',
            'js/showdown-2.1.0.js'   => 'sha512-WYXZgkTR0u/Y9SVIA4nTTOih0kXMEd8RRV6MLFdL6YU8ymhR528NLlYQt1nlJQbYz4EW+ZsS0fx1awhiQJme1Q==',
            'js/zlib-1.3.1-1.js'     => 'sha512-5bU9IIP4PgBrOKLZvGWJD4kgfQrkTz8Z3Iqeu058mbQzW3mCumOU6M3UVbVZU9rrVoVwaW4cZK8U8h5xjF88eQ==',