PrivateBin/js
rugk 7f1f40853e fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
We do not want to santitize them with DOMPurify, as an attached file should
be returned exactly as it has been attached by the creator. And sharing HTML files
is IMHO a legitimate use case.

However, opening these in a new tab can result in (JS) code execution.
Yet again, opening a "bigger" preview for some file types like images or videos
is also a valid use case, which also should not be broken. That's why this is not done
in alll cases, but some mime type filtering still exists.

I also looked into whether a blocklist (for HTML and SVG) would make sense, but really
you cannot possibly define an exhausive list of "unsafe" mime types: https://security.stackexchange.com/a/167853/91425

That's why I use a quite strict allowlist approach here.
I skimmed https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types
for what could be common use cases/mime types, people _may_ actually want to get
rendered and this is the result.

Thus I am quite confident this patch does not introduce such a big "breaking change"
(in UI behaviour), but people best do not notice it.
2026-06-13 22:01:35 +02:00
..
test fix: move copy to clipboard button outside of prettymessage block 2026-05-15 13:28:34 +03:00
.istanbul.yml chore: upgrade jQuery from v3.7.0 to 3.7.1 2024-05-05 11:50:12 +02:00
.nycrc.yml changes required for jsdoc, adding legacy.js to code coverage 2019-09-22 21:18:19 +02:00
base-x-5.0.1.js upgrade base-x to 5.0.1 2025-07-22 10:32:08 +02:00
bootstrap-3.4.1.js update bootstrap JS library to 3.4.1 2022-02-20 16:13:54 +01:00
bootstrap-5.3.8.js update bootstrap CSS library from 5.3.7 to 5.3.8 2025-10-09 09:24:08 +02:00
comment.jsonld breaking all the things (by replacing v1 with v2 formats) 2019-05-03 20:51:01 +02:00
commentmeta.jsonld reduce duplication in format 2018-12-17 21:42:49 +01:00
common.js Merge branch 'master' into zlib-1.3.2 2026-04-29 07:09:23 +02:00
dark-mode-switch.js prototype keyboard trap toggle 2024-11-24 11:45:46 +01:00
eslint.config.js exclude generated ES6 module from ESlint 2026-04-03 18:42:32 +02:00
jquery-3.7.1.js chore: upgrade jQuery from v3.7.0 to 3.7.1 2024-05-05 11:50:12 +02:00
kjua-0.10.0.js upgrade kjua to 0.10.0 2025-07-22 09:49:48 +02:00
legacy.js Update js/legacy.js 2026-01-27 14:50:23 +01:00
package-lock.json chore(deps): bump uuid and nyc in /js 2026-06-10 18:31:30 +00:00
package.json chore(deps): bump uuid and nyc in /js 2026-06-10 18:31:30 +00:00
paste.jsonld designing v2 paste & comment format 2018-12-17 19:43:16 +01:00
pastemeta.jsonld address security concerns reg. paste creation date by removing it in the API, keep comment creation date exposed, displayed in discussion - resolves #390 2018-12-23 20:10:24 +01:00
prettify.js updating prettify library to 453bd5f 2018-07-01 19:17:05 +02:00
privatebin.js fix: prevent browsers from rendering unsafe attachments like HTML in a new tab 2026-06-13 22:01:35 +02:00
purify-3.4.1.js update DOMpurify library from 3.4.0 to 3.4.1 2026-04-23 07:15:03 +02:00
showdown-2.1.0.js upgrade JS libraries 2022-11-13 06:37:23 +01:00
types.jsonld re-add CreationTime, still used in comment 2018-12-24 08:20:39 +01:00
zlib-1.3.2.js avoid mjs for now, inject map, Buffer is node-only 2026-04-04 10:22:10 +02:00
zlib-1.3.2.wasm updating zlib to 1.3.2 2026-04-03 18:15:54 +02:00
zlib.js avoid mjs for now, inject map, Buffer is node-only 2026-04-04 10:22:10 +02:00