Commit graph

257 commits

Author SHA1 Message Date
rugk
13cbb2069e style: fix line ending at JS file 2026-06-14 16:25:16 +02:00
rugk
7f1f40853e fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
We do not want to santitize them with DOMPurify, as an attached file should
be returned exactly as it has been attached by the creator. And sharing HTML files
is IMHO a legitimate use case.

However, opening these in a new tab can result in (JS) code execution.
Yet again, opening a "bigger" preview for some file types like images or videos
is also a valid use case, which also should not be broken. That's why this is not done
in alll cases, but some mime type filtering still exists.

I also looked into whether a blocklist (for HTML and SVG) would make sense, but really
you cannot possibly define an exhausive list of "unsafe" mime types: https://security.stackexchange.com/a/167853/91425

That's why I use a quite strict allowlist approach here.
I skimmed https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types
for what could be common use cases/mime types, people _may_ actually want to get
rendered and this is the result.

Thus I am quite confident this patch does not introduce such a big "breaking change"
(in UI behaviour), but people best do not notice it.
2026-06-13 22:01:35 +02:00
“Sebastian
11d62b6cd4 fix(a11y): focus modals on open and update privatebin.js SRI
- Load-confirm modal: focus primary action on show
- Email-confirm modal: focus UTC button on show (safer default)
- Update SRI for js/privatebin.js in Configuration.php

Fixes #1801
2026-05-22 16:33:14 -04:00
Ribas160
848d80a3b2
Merge remote-tracking branch 'upstream/master' into copy_button_is_hidden
# Conflicts:
#	lib/Configuration.php
2026-05-21 13:01:29 +03:00
Ribas160
abab1e9ec7
chore: update SRI 2026-05-16 12:35:32 +03:00
Ribas160
23e718e137
Merge remote-tracking branch 'upstream/master' into bug_in_attachment_functionality
# Conflicts:
#	lib/Configuration.php
2026-05-16 12:26:09 +03:00
Ribas160
ca23d88cd9
Merge remote-tracking branch 'upstream/master' into copy_button_is_hidden
# Conflicts:
#	lib/Configuration.php
2026-05-16 12:22:20 +03:00
El RIDO
72c64dac2c
remove redundant array
redundant, since .map always returns an array

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/map#return_value

Co-authored-by: Mikhail Romanov <42250412+Ribas160@users.noreply.github.com>
2026-05-16 08:42:31 +02:00
Ribas160
6d1d8da4a4
fix: state corruption after removing attachment 2026-05-15 15:33:52 +03:00
Ribas160
5bbe713b9c
fix: move copy to clipboard button outside of prettymessage block 2026-05-15 13:28:34 +03:00
El RIDO
a4bad44334
update dev dependencies, address ESlint error
null coalescing operator is only available as of ES2020, if we make it an array an or might do
2026-05-14 14:43:51 +02:00
El RIDO
14c8b2fa25
fix syntaxhighlighting format, requires non-strict DOMpurify
the strict settings removed the pre-tags, lists, etc. that are used by the prettify library to format source code
2026-05-03 08:49:43 +02:00
El RIDO
ebadfe43ec
chore: fix typo, update SRI hash and docs 2026-04-29 22:07:50 +02:00
El RIDO
e24614169d
Merge branch 'master' into zlib-1.3.2 2026-04-29 07:09:23 +02:00
El RIDO
a455c962d5
update DOMpurify library from 3.4.0 to 3.4.1 2026-04-23 07:15:03 +02:00
El RIDO
67baf8cca4
update DOMpurify library from 3.3.2 to 3.4.0 2026-04-18 09:28:58 +02:00
El RIDO
fbfe87d993
avoid mjs for now, inject map, Buffer is node-only 2026-04-04 10:22:10 +02:00
El RIDO
43a729b1f9
updating zlib to 1.3.2 2026-04-03 18:15:54 +02:00
El RIDO
604e61beaa
update DOMpurify library from 3.3.0 to 3.3.2 2026-03-07 09:00:06 +01:00
rugk
1cc811644f docs: improve JSDoc 2026-02-23 16:00:31 +00:00
rugk
30f80d055b wipfix: fix JS syntax errors 2026-02-23 15:54:56 +00:00
rugk
5dab2392b9
Merge branch 'master' into xss/jsImprove 2026-02-23 16:48:21 +01:00
Stephan Kristyn
5d22847ef1 ES6 Compat code broke everything. Reverting. E2E testing wth multiple files works 2026-02-12 13:48:49 +01:00
Stephan Kristyn
cfea0fb20e Now leaving styling to customer if he wants the filename and filesize as a hyperlink or outside the hyperlink 2026-02-11 19:03:34 +01:00
Stephan Kristyn
9ab16674aa Adding Bootstrap Classname to dynamically created child element 2026-02-10 18:22:17 +01:00
Stephan Kristyn
e2b4b8a7f8 Adding new DOM element, CSS and JS code 2026-02-10 14:36:03 +01:00
El RIDO
ec656a5456
credit Persian translation & enable use of Persian plurals 2026-02-06 19:15:02 +01:00
El RIDO
a1c8966a36
Merge branch 'master' into linter-semicolon-insertion 2026-01-28 07:33:58 +01:00
El RIDO
f6c01a6489
update SRI hash 2026-01-28 07:21:32 +01:00
El RIDO
a4eaa77b82
address semicolon insertion lint
> Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.

See: https://github.com/PrivateBin/PrivateBin/security/quality/rules/js%2Fautomatic-semicolon-insertion
2026-01-25 09:41:52 +01:00
El RIDO
0ed48c455f
address unneeded defensive code lint
IMHO this check is actually necessary, as we do call the function with an empty argument. So we need a guard there, but we could simplify it a bit, by making the argument an empty array by default. I still kept the check for undefined (line 3249, first check) in case the caller passes us an undefined variable.

See: https://github.com/PrivateBin/PrivateBin/security/quality/rules/js%2Funneeded-defensive-code - Copilot suggested to simply remove the if-condition and its else block, which I think is wrong.
2026-01-25 09:26:14 +01:00
woutresseler
33c93f4d40 Update hash for privatebin.js 2026-01-20 13:18:57 +01:00
Ribas160
ed9b3d1aa0
fix: The content format is not reset on create a new or clone document 2025-12-14 09:08:48 +02:00
Ribas160
54d002d26f
fix: Attachment disappears after a "paste" in the message area 2025-12-09 15:43:59 +02:00
El RIDO
aa931c7a5c
enable Swedish translations 2025-12-02 06:40:07 +01:00
rugk
ce06857d2c chore update SRI hash of main JS file 2025-11-27 21:05:59 +00:00
El RIDO
b4db5f8e57
apply null coalescing operator, strict equality, avoid aliases, prefer empty 2025-11-20 08:19:14 +01:00
El RIDO
c8643f187e
apply null coalescing operator
Co-authored-by: Mikhail Romanov <42250412+Ribas160@users.noreply.github.com>
2025-11-19 18:45:35 +01:00
El RIDO
3a23117ebf
Refactored translation of exception messages 2025-11-19 09:36:40 +01:00
El RIDO
3e6f1733f9
refactored exceptions in controller
- added missing exception doc blocks
- introduced exception type that translates message during construction
- catch explicit exception types where possible
2025-11-19 09:36:39 +01:00
El RIDO
e427458cd0 Merge branch 'master' into advisory-fix-1 2025-11-11 22:00:09 +01:00
Ribas160
08b3244314
privatebin.js SRI and CHANGELOG.md updated 2025-11-11 20:13:10 +02:00
Ribas160
9c71fbcc70
Use pure JavaScript to create a div element 2025-11-11 17:45:27 +02:00
Ribas160
14b68af528
Insert drag and drop file names as a text, not html 2025-11-10 17:59:18 +02:00
Ribas160
a7b253a43a
fix: error fetching attachments from blob 2025-11-05 17:33:08 +02:00
El RIDO
a91d0afebd
ensure there is still a space between commenter icon and name 2025-10-28 16:35:58 +01:00
El RIDO
43cf8b53ac
Merge branch 'master' into purify-3.3.0 2025-10-28 11:27:17 +01:00
El RIDO
c4f8482b30
Refactored jQuery DOM element creation
using plain JavaScript, to ensure text nodes are sanitized
2025-10-25 12:56:55 +02:00
El RIDO
fd2c2ae0c5
update DOMpurify library from 3.2.7 to 3.3.0 2025-10-25 10:52:40 +02:00
El RIDO
06496a1b0e
update bootstrap CSS library from 5.3.7 to 5.3.8 2025-10-09 09:24:08 +02:00