From 69e37c2c04d1c44ec0dc2f4d64842974be5197f1 Mon Sep 17 00:00:00 2001 From: rugk Date: Mon, 23 Feb 2026 16:45:31 +0100 Subject: [PATCH] refactor: introduce purifyHtmlConfigStrictSubset --- js/privatebin.js | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/js/privatebin.js b/js/privatebin.js index 7d8ce842..37223997 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -58,9 +58,23 @@ jQuery.PrivateBin = (function($) { ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|magnet):)/i, USE_PROFILES: { html: true - } + }, }; + /** + * DOMpurify settings for HTML content, where only a strict subset is allowed. + * + * NOTE: The key `USE_PROFILES` from {@see purifyHtmlConfig} needs to be excluded, + * as otherwise `USE_PROFILES` takes precedence. + * + * @private + */ + const purifyHtmlConfigStrictSubset { + ALLOWED_URI_REGEXP: purifyHtmlConfig.ALLOWED_URI_REGEXP, + ALLOWED_TAGS: ['a', 'i', 'span', 'kbd'], + ALLOWED_ATTR: ['href', 'id'] + }) + /** * DOMpurify settings for SVG content * @@ -439,7 +453,7 @@ jQuery.PrivateBin = (function($) { /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig, '$1' ), - purifyHtmlConfig + purifyHtmlConfigStrictSubset ) ); }; @@ -812,12 +826,7 @@ jQuery.PrivateBin = (function($) { if (containsHtml) { // only allow tags/attributes we actually use in translations - const sanitizeConfig = { - ...purifyHtmlConfig, - ALLOWED_TAGS: ['a', 'i', 'span', 'kbd'], - ALLOWED_ATTR: ['href', 'id'] - }); - output = DOMPurify.sanitize(output, sanitizeConfig); + output = DOMPurify.sanitize(output, purifyHtmlConfigStrictSubset); } // if $element is given, insert translation