diff --git a/.travis.yml b/.travis.yml index 084a76d1..98dfaaeb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,10 +9,10 @@ php: # as this is a php project, node.js v4 (for JS unit testing) isn't installed install: - - rm -rf ~/.nvm && git clone https://github.com/creationix/nvm.git ~/.nvm && (cd ~/.nvm && git checkout `git describe --abbrev=0 --tags`) && source ~/.nvm/nvm.sh && nvm install 4 + - if [ ! -d "$HOME/.nvm" ]; then mkdir -p $HOME/.nvm && curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | NVM_METHOD=script bash; fi + - source ~/.nvm/nvm.sh && nvm install 4 before_script: - - composer config -g github-oauth.github.com "$GITHUB_TOKEN" - composer install -n - npm install -g mocha - cd js @@ -27,3 +27,11 @@ after_script: - cd .. - vendor/bin/codacycoverage clover tst/log/coverage-clover.xml - vendor/bin/test-reporter --coverage-report tst/log/coverage-clover.xml + +cache: + directories: + - $HOME/.composer/cache/files + - $HOME/.composer/cache/vcs + - $HOME/.nvm + - $HOME/.npm + - js/node_modules diff --git a/composer.json b/composer.json index 2a363a66..2af4f7b7 100644 --- a/composer.json +++ b/composer.json @@ -11,12 +11,6 @@ "source": "https://github.com/PrivateBin/PrivateBin", "docs": "https://zerobin.dssr.ch/documentation/" }, - "repositories": [ - { - "type": "vcs", - "url": "https://github.com/PrivateBin/PrivateBin" - } - ], "require": { "php": "^5.4.0 || ^7.0", "paragonie/random_compat": "2.0.4", diff --git a/js/privatebin.js b/js/privatebin.js index a8c3b618..e15e28a7 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -1701,7 +1701,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { } // set sanitized and linked text - var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text), {SAFE_FOR_JQUERY: true}); + var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text)); $plainText.html(sanitizedLinkedText); $prettyPrint.html(sanitizedLinkedText); @@ -1714,7 +1714,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { }); // let showdown convert the HTML and sanitize HTML *afterwards*! $plainText.html( - DOMPurify.sanitize(converter.makeHtml(text), {SAFE_FOR_JQUERY: true}) + DOMPurify.sanitize(converter.makeHtml(text)) ); // add table classes from bootstrap css $plainText.find('table').addClass('table-condensed table-bordered'); @@ -1728,8 +1728,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { $prettyPrint.html( DOMPurify.sanitize( - prettyPrintOne(Helper.urls2links(text), null, true), - {SAFE_FOR_JQUERY: true} + prettyPrintOne(Helper.urls2links(text), null, true) ) ); // fall through, as the rest is the same @@ -1825,6 +1824,8 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { */ me.setText = function(newText) { + // escape HTML entities + newText = $('
').text(newText).html(); if (text !== newText) { text = newText; isChanged = true; @@ -2224,8 +2225,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { // set & parse text $commentEntryData.html( DOMPurify.sanitize( - Helper.urls2links(commentText), - {SAFE_FOR_JQUERY: true} + Helper.urls2links(commentText) ) ); @@ -2531,7 +2531,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) { for (var i = 0; i < $head.length; i++) { newDoc.write($head[i].outerHTML); } - newDoc.write('' + DOMPurify.sanitize(paste, {SAFE_FOR_JQUERY: true}) + '