From 7e506c7f83f2f9d02178217565c10b47a3fef327 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Mon, 23 Feb 2026 16:31:13 +0100
Subject: [PATCH] refactor: drastically simplify JS "has HTML" extension again

Co-authored-by: El RIDO <elrido@gmx.net>
---
 js/privatebin.js | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index f8a55cbe..58482b40 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -962,17 +962,9 @@ jQuery.PrivateBin = (function($) {
          * @returns {boolean}
          */
         function isStringContainsHtml(messageId) {
-            // Use DOMParser to parse the string as HTML. DOMParser does not
-            // execute scripts nor load external resources when parsing, making
-            // it safer against XSS.
-            try {
-                const doc = new DOMParser().parseFromString(String(messageId), 'text/html');
-                return Array.from(doc.body.childNodes).some(node => node.nodeType === Node.ELEMENT_NODE);
-            } catch (e) {
-                // If parsing fails for any reason, consider it not HTML to avoid
-                // treating arbitrary strings as markup.
-                return false;
-            }
+            // message IDs are allowed to contain anchors, spans, keyboard and emphasis tags
+            // we can recognize all of them by only checking for anchors and keyboard tags
+            return args[0].indexOf('<a') !== -1 || args[0].indexOf('<kbd') !== -1;
         }
 
         return me;