From f6893d338b4cff2cd17d6dbe439e13f14592a6e3 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Thu, 13 Nov 2025 13:34:51 +0000
Subject: [PATCH] refactor: use DOMParser for checking if translation is HTML

---
 js/privatebin.js | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 29f2dd44..c02767e2 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -963,13 +963,17 @@ jQuery.PrivateBin = (function($) {
          * @returns {boolean}
          */
         function isStringContainsHtml(messageId) {
-            // An integer which specifies the type of the node. An Element node like <p> or <div>.
-            const elementNodeType = 1;
-
-            const div = document.createElement('div');
-            div.innerHTML = messageId;
-
-            return Array.from(div.childNodes).some(node => node.nodeType === elementNodeType);
+            // Use DOMParser to parse the string as HTML. DOMParser does not
+            // execute scripts nor load external resources when parsing, making
+            // it safer against XSS.
+            try {
+                const doc = new DOMParser().parseFromString(String(messageId), 'text/html');
+                return Array.from(doc.body.childNodes).some(node => node.nodeType === Node.ELEMENT_NODE);
+            } catch (e) {
+                // If parsing fails for any reason, consider it not HTML to avoid
+                // treating arbitrary strings as markup.
+                return false;
+            }
         }
 
         return me;