diff --git a/js/privatebin.js b/js/privatebin.js
index a9cc9312..244fa9e2 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1700,8 +1700,11 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
return;
}
- // set sanitized and linked text
- var sanitizedLinkedText = DOMPurify.sanitize(Helper.urls2links(text));
+ // escape HTML entities, link URLs, sanitize
+ var escapedLinkedText = Helper.urls2links(
+ $('').text(text).html()
+ ),
+ sanitizedLinkedText = DOMPurify.sanitize(escapedLinkedText);
$plainText.html(sanitizedLinkedText);
$prettyPrint.html(sanitizedLinkedText);
@@ -1728,7 +1731,7 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
$prettyPrint.html(
DOMPurify.sanitize(
- prettyPrintOne(Helper.urls2links(text), null, true)
+ prettyPrintOne(escapedLinkedText, null, true)
)
);
// fall through, as the rest is the same
@@ -1824,8 +1827,6 @@ jQuery.PrivateBin = function($, sjcl, Base64, RawDeflate) {
*/
me.setText = function(newText)
{
- // escape HTML entities
- newText = $('').text(newText).html();
if (text !== newText) {
text = newText;
isChanged = true;
diff --git a/js/test/PasteViewer.js b/js/test/PasteViewer.js
index 5b9b9242..ca97518c 100644
--- a/js/test/PasteViewer.js
+++ b/js/test/PasteViewer.js
@@ -48,7 +48,7 @@ describe('PasteViewer', function () {
results.push(
$('#placeholder').hasClass('hidden') &&
!$.PrivateBin.PasteViewer.isPrettyPrinted() &&
- $.PrivateBin.PasteViewer.getText() == $('').text(text).html()
+ $.PrivateBin.PasteViewer.getText() == text
);
if (format == 'markdown') {
results.push(
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index dba34a9b..9ac5ae04 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -75,7 +75,7 @@ if ($MARKDOWN):
-
+
diff --git a/tpl/page.php b/tpl/page.php
index d2f26d83..03bc1c99 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -54,7 +54,7 @@ if ($QRCODE):
-
+