dependabot[bot]
f71fd1be95
chore(deps): bump ws from 8.20.1 to 8.21.0 in /js
...
Bumps [ws](https://github.com/websockets/ws ) from 8.20.1 to 8.21.0.
- [Release notes](https://github.com/websockets/ws/releases )
- [Commits](https://github.com/websockets/ws/compare/8.20.1...8.21.0 )
---
updated-dependencies:
- dependency-name: ws
dependency-version: 8.21.0
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-07-11 08:25:54 +00:00
El RIDO
3035d6e5d3
incrementing version
2026-07-11 10:19:40 +02:00
El RIDO
a364596586
Merge branch 'master' into newtab-sanitize
2026-07-11 10:04:14 +02:00
Ribas160
233e3e2399
Merge remote-tracking branch 'upstream/master' into os-copy-hotkey
...
# Conflicts:
# i18n/zh.json
# lib/Configuration.php
2026-06-19 20:03:38 +03:00
Ribas160
2219039a0a
feat: add i18n keys for Cmd and Ctrl keyboard labels
2026-06-19 19:58:29 +03:00
rugk
13cbb2069e
style: fix line ending at JS file
2026-06-14 16:25:16 +02:00
rugk
7f1f40853e
fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
...
We do not want to santitize them with DOMPurify, as an attached file should
be returned exactly as it has been attached by the creator. And sharing HTML files
is IMHO a legitimate use case.
However, opening these in a new tab can result in (JS) code execution.
Yet again, opening a "bigger" preview for some file types like images or videos
is also a valid use case, which also should not be broken. That's why this is not done
in alll cases, but some mime type filtering still exists.
I also looked into whether a blocklist (for HTML and SVG) would make sense, but really
you cannot possibly define an exhausive list of "unsafe" mime types: https://security.stackexchange.com/a/167853/91425
That's why I use a quite strict allowlist approach here.
I skimmed https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types
for what could be common use cases/mime types, people _may_ actually want to get
rendered and this is the result.
Thus I am quite confident this patch does not introduce such a big "breaking change"
(in UI behaviour), but people best do not notice it.
2026-06-13 22:01:35 +02:00
dependabot[bot]
406c274ed8
chore(deps): bump uuid and nyc in /js
...
Removes [uuid](https://github.com/uuidjs/uuid ). It's no longer used after updating ancestor dependency [nyc](https://github.com/istanbuljs/nyc ). These dependencies need to be updated together.
Removes `uuid`
Updates `nyc` from 17.1.0 to 18.0.0
- [Release notes](https://github.com/istanbuljs/nyc/releases )
- [Changelog](https://github.com/istanbuljs/nyc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/istanbuljs/nyc/compare/nyc-v17.1.0...nyc-v18.0.0 )
---
updated-dependencies:
- dependency-name: nyc
dependency-version: 18.0.0
dependency-type: direct:development
- dependency-name: uuid
dependency-version:
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-06-10 18:31:30 +00:00
Ribas160
5d946c52a7
feat: Show OS-specific copy hotkey hint
2026-05-27 00:28:32 +03:00
“Sebastian
11d62b6cd4
fix(a11y): focus modals on open and update privatebin.js SRI
...
- Load-confirm modal: focus primary action on show
- Email-confirm modal: focus UTC button on show (safer default)
- Update SRI for js/privatebin.js in Configuration.php
Fixes #1801
2026-05-22 16:33:14 -04:00
Ribas160
848d80a3b2
Merge remote-tracking branch 'upstream/master' into copy_button_is_hidden
...
# Conflicts:
# lib/Configuration.php
2026-05-21 13:01:29 +03:00
Mikhail Romanov
b75dfdea42
Format code, kudos @elrido
...
Co-authored-by: El RIDO <elrido@gmx.net>
2026-05-16 12:31:32 +03:00
Ribas160
23e718e137
Merge remote-tracking branch 'upstream/master' into bug_in_attachment_functionality
...
# Conflicts:
# lib/Configuration.php
2026-05-16 12:26:09 +03:00
Ribas160
ca23d88cd9
Merge remote-tracking branch 'upstream/master' into copy_button_is_hidden
...
# Conflicts:
# lib/Configuration.php
2026-05-16 12:22:20 +03:00
El RIDO
72c64dac2c
remove redundant array
...
redundant, since .map always returns an array
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/map#return_value
Co-authored-by: Mikhail Romanov <42250412+Ribas160@users.noreply.github.com>
2026-05-16 08:42:31 +02:00
Ribas160
6d1d8da4a4
fix: state corruption after removing attachment
2026-05-15 15:33:52 +03:00
Ribas160
5bbe713b9c
fix: move copy to clipboard button outside of prettymessage block
2026-05-15 13:28:34 +03:00
El RIDO
a4bad44334
update dev dependencies, address ESlint error
...
null coalescing operator is only available as of ES2020, if we make it an array an or might do
2026-05-14 14:43:51 +02:00
El RIDO
14c8b2fa25
fix syntaxhighlighting format, requires non-strict DOMpurify
...
the strict settings removed the pre-tags, lists, etc. that are used by the prettify library to format source code
2026-05-03 08:49:43 +02:00
El RIDO
89e80d419d
incrementing version
2026-05-03 08:10:16 +02:00
El RIDO
ebadfe43ec
chore: fix typo, update SRI hash and docs
2026-04-29 22:07:50 +02:00
El RIDO
fd7c352026
Merge branch 'master' into fix/openclaw-20260427
2026-04-29 21:52:39 +02:00
gittihub-jpg
88b7cd8e96
Update js/privatebin.js
...
Thanks, updated this to avoid relying on `Array.isArray()` for the `FileList` case and to always set `attachment_name` to an array.
Co-authored-by: Mikhail Romanov <42250412+Ribas160@users.noreply.github.com>
2026-04-29 10:04:22 +02:00
El RIDO
e24614169d
Merge branch 'master' into zlib-1.3.2
2026-04-29 07:09:23 +02:00
gittihub-jpg
8a7f7a60a5
fix: Bugs in the attachment functionality ( #1824 )
...
Fixes #1824
Generated by OpenClaw bounty agent.
Signed-off-by: gittihub-jpg <rico@springer-mail.net>
2026-04-28 16:33:05 +02:00
El RIDO
a455c962d5
update DOMpurify library from 3.4.0 to 3.4.1
2026-04-23 07:15:03 +02:00
El RIDO
67baf8cca4
update DOMpurify library from 3.3.2 to 3.4.0
2026-04-18 09:28:58 +02:00
El RIDO
fbfe87d993
avoid mjs for now, inject map, Buffer is node-only
2026-04-04 10:22:10 +02:00
El RIDO
91c9ebeccf
exclude generated ES6 module from ESlint
2026-04-03 18:42:32 +02:00
El RIDO
43a729b1f9
updating zlib to 1.3.2
2026-04-03 18:15:54 +02:00
dependabot[bot]
7eaa70ae31
chore(deps-dev): bump flatted from 3.3.3 to 3.4.2 in /js
...
Bumps [flatted](https://github.com/WebReflection/flatted ) from 3.3.3 to 3.4.2.
- [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2 )
---
updated-dependencies:
- dependency-name: flatted
dependency-version: 3.4.2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-03-21 10:28:50 +00:00
El RIDO
604e61beaa
update DOMpurify library from 3.3.0 to 3.3.2
2026-03-07 09:00:06 +01:00
dependabot[bot]
7057c216fd
chore(deps): bump minimatch in /js
...
Bumps and [minimatch](https://github.com/isaacs/minimatch ). These dependencies needed to be updated together.
Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md )
- [Commits](https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5 )
Updates `minimatch` from 9.0.6 to 9.0.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md )
- [Commits](https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5 )
---
updated-dependencies:
- dependency-name: minimatch
dependency-version: 3.1.5
dependency-type: indirect
- dependency-name: minimatch
dependency-version: 9.0.9
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-02-28 04:28:46 +00:00
rugk
32ab4dade5
Merge pull request #1790 from PrivateBin/devcontainer/phpunit
...
fix(devcontainer): try making VSCode test extension work (PHPUnit/Mocha)
2026-02-25 09:50:27 +01:00
rugk
d874ea71a2
test: fix tests
2026-02-24 12:06:46 +00:00
rugk
1cc811644f
docs: improve JSDoc
2026-02-23 16:00:31 +00:00
rugk
5fd974e247
style: fix/remove trailing comma
2026-02-23 16:00:22 +00:00
rugk
30f80d055b
wipfix: fix JS syntax errors
2026-02-23 15:54:56 +00:00
rugk
5dab2392b9
Merge branch 'master' into xss/jsImprove
2026-02-23 16:48:21 +01:00
rugk
69e37c2c04
refactor: introduce purifyHtmlConfigStrictSubset
2026-02-23 16:45:31 +01:00
rugk
dcaa019599
refactor: use modern spread syntax for combining object
...
Given it's 2026 this really should be supported by all browsers now: https://caniuse.com/mdn-javascript_operators_spread,mdn-javascript_operators_spread_spread_in_arrays,mdn-javascript_operators_spread_spread_in_function_calls,mdn-javascript_operators_spread_spread_in_object_literals
2026-02-23 16:36:46 +01:00
rugk
7e506c7f83
refactor: drastically simplify JS "has HTML" extension again
...
Co-authored-by: El RIDO <elrido@gmx.net>
2026-02-23 16:31:13 +01:00
rugk
35a593723d
test: record/install mocha & nyc in package.json
2026-02-23 15:00:42 +00:00
Stephan Kristyn
5d22847ef1
ES6 Compat code broke everything. Reverting. E2E testing wth multiple files works
2026-02-12 13:48:49 +01:00
Stephan Kristyn
cfea0fb20e
Now leaving styling to customer if he wants the filename and filesize as a hyperlink or outside the hyperlink
2026-02-11 19:03:34 +01:00
Stephan Kristyn
755be747a6
Refactoring the way DOM element is created and styled. Now leaving styling to customer
2026-02-11 18:41:44 +01:00
Stephan Kristyn
9ab16674aa
Adding Bootstrap Classname to dynamically created child element
2026-02-10 18:22:17 +01:00
Stephan Kristyn
e2b4b8a7f8
Adding new DOM element, CSS and JS code
2026-02-10 14:36:03 +01:00
El RIDO
ec656a5456
credit Persian translation & enable use of Persian plurals
2026-02-06 19:15:02 +01:00
Ali Fani
6a0fd6fb44
Add Persian (fa) language support and update supported languages list
2026-02-06 11:23:14 +03:30