Fix source code escaping in comments

Also fix comments.

js/privatebin.js

@@ -374,6 +374,31 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
         };
 
+        /**
+         * formats the text that needs to be formatted, so DomPurify can properly escape it. 
+         *
+         * @name   Helper.preformatTextForDomPurify
+         * @function
+         * @param  {string} html
+         * @param  {'markdown'|'syntaxhighlighting'|'plaintext'} text
+         * @return {string} new text
+         */
+        me.preformatTextForDomPurify = function(text, format)
+        {
+            if (!format) {
+                throw new TypeError('invalid format parameter');
+            }
+
+            // encode < to make sure DomPurify does not interpret e.g. HTML or XML markup as code
+            // cf. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp#Summary
+            // As Markdown, by definition, is/allows HTML code, we do not do anything there.
+            if (format !== 'markdown') {
+                // one character is enough, as this is not security-relevant (all output will go through DOMPurify later)
+                text = text.replace(/</g, '&lt;');
+            }
+            return text;
+        };
+
         /**
          * convert URLs to clickable links.
          *
@@ -2504,13 +2529,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 return;
             }
 
-            // encode < to make sure DomPurify does not interpret e.g. HTML or XML markup as code
+            text = Helper.preformatTextForDomPurify(text, format);
-            // cf. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/xmp#Summary
-            // As Markdown, by definition, is/allows HTML code, we do not do anything there.
-            if (format !== 'markdown') {
-                // one character is enough, as this is not security-relevant (all output will go through DOMPurify later)
-                text = text.replace(/</g, '&lt;');
-            }
             
             // escape HTML entities, link URLs, sanitize
             const escapedLinkedText = Helper.urls2links(text),
@@ -3321,7 +3340,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.addComment = function(comment, commentText, nickname)
         {
-            if (commentText === '') {
+            if (!commentText) {
                 commentText = 'comment decryption failed';
             }
 
@@ -3331,6 +3350,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             const $commentEntryData = $commentEntry.find('div.commentdata');
 
             // set & parse text
+            commentText = Helper.preformatTextForDomPurify(commentText, 'plaintext');
             $commentEntryData.html(
                 DOMPurify.sanitize(
                     Helper.urls2links(commentText), {

tpl/bootstrap.php

@@ -72,7 +72,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-x2Kev3A7fqc/QKCzRHoJ7qCiglgxXtY8WDUMPOUBI6jVueqRkRMGjP1IqD9iUWVuND81ckCCS27Br5M11tw0IA==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3L/E22cdC3wDFXKM1i32bw4HdrfX14du2xswUKanOY6CLrD+e0hykmLvES+zfBKF1GFQFKr3OmdCVH2y+zHlsA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Gt+x+QenVjex80M6AXnrJIOqVV19nV+s8P9T9K68+vyvFGW/Fx34viKK8zzu1ME2GYctsJlNB4I1x75P095ZQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5l2RuILQ59Go14jKwavtCpGEnUhzIkYyLF1ctlOaYxD5HVuBg4IAj5svkFQ4rirruhw88REZ6swax3CuLHeftg==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />

tpl/page.php

@@ -50,7 +50,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.8.js" integrity="sha512-x2Kev3A7fqc/QKCzRHoJ7qCiglgxXtY8WDUMPOUBI6jVueqRkRMGjP1IqD9iUWVuND81ckCCS27Br5M11tw0IA==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3L/E22cdC3wDFXKM1i32bw4HdrfX14du2xswUKanOY6CLrD+e0hykmLvES+zfBKF1GFQFKr3OmdCVH2y+zHlsA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-0Gt+x+QenVjex80M6AXnrJIOqVV19nV+s8P9T9K68+vyvFGW/Fx34viKK8zzu1ME2GYctsJlNB4I1x75P095ZQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-5l2RuILQ59Go14jKwavtCpGEnUhzIkYyLF1ctlOaYxD5HVuBg4IAj5svkFQ4rirruhw88REZ6swax3CuLHeftg==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />