IMHO, the GitHub process nowadays provides a sleek workflow and is better than sending mails back-and-forth.
It's okay for me to leave that way open (especially if reporters really want to report high sensitive stuff and e.g. PGP-encrypt them), but I guess we should slightly suggest/favor the GitHub form for ease of maintenance.
@elrido what do you think?
Object.create(null) objects don't inherit hasOwnProperty, so the direct
call throws. Use the safe form instead.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The merge of master into js/removeJQuery incorrectly kept old jsverify
code in the Keyboard shortcut hint tests instead of the fast-check
versions from this branch. Also updates the copy-document DOM fixture
to match the current CopyToClipboard.init() which binds #copyShortcutHintBtn.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Object.create(null) ensures keys like '__proto__', 'constructor', and
'toString' are stored and retrieved as plain string keys rather than
shadowing Object prototype properties.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove defensive checks that are guaranteed by jsdom-global (window and
document are always set), the jQuery alias for PrivateBin (unused after
jQuery removal), and the conditional re-export block.
The module reload (delete require.cache + re-require) is intentional and
necessary: modules like CopyToClipboard hold DOM element references in
closure variables and schedule setTimeout callbacks. Without a reload,
those callbacks fire against elements from a now-dead jsdom window after
cleanup(), causing cross-test interference. Document this clearly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ServerInteraction: window.crypto is read-only in jsdom; use
Object.defineProperty (matching the pattern in CryptTool tests).
Also install Buffer-based atob/btoa overrides (common.atob/btoa) to
avoid jsdom's strict btoa rejecting binary ciphertext bytes.
PasteViewer: the 'displays text according to format' test was already
correct — the real fix was clearing 'prettyprinted' in parsePaste().
No test change needed beyond the fix in privatebin.js.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
prettyPrint() adds the 'prettyprinted' marker class to signal it has
processed the element. When the viewer is re-used (e.g. clone flow or
same-page re-render) and the format changes away from syntaxhighlighting,
parsePaste() was removing 'prettyprint' (the styling class) but not
'prettyprinted' (the processed marker), leaving isPrettyPrinted()
returning true stale. This also caused the PasteViewer fast-check test
to fail across iterations when syntaxhighlighting ran before plaintext.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DOMPurify can strip the href from anchors created by the URL regex
(e.g. script-injection attempts), leaving <a> elements with no href
attribute. getAttribute('href') returns null in that case; the previous
.match() call on null crashed with TypeError.
jQuery's .attr('href') returned undefined and .match() was never
called, so the bug was silently hidden.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>