Merge branch 'master' into zlib-1.3.2

chore(deps): bump symfony/polyfill-php80 from 1.33.0 to 1.34.0

.github/CONTRIBUTING.md

@@ -6,3 +6,10 @@ Have a look at our [contributing guide](https://github.com/PrivateBin/PrivateBin
 If you want to translate PrivateBin into your language have a look at the [translation guide](https://github.com/PrivateBin/PrivateBin/wiki/Translation).
 
 Except this also opening [issues](https://github.com/PrivateBin/PrivateBin/issues) helps much. Just describe your problem detailed enough and fill out our template.
+
+## Guidelines for pull requests
+
+Please note that we, as per our pull request template, **require users to disclose the use of an AI/LLM tool**. We would be glad about details such as the exact used tool/relevant chat snippets or a full (link to the) chat conversation. In any case, please take care to manually test and review your pull request.
+
+For Frontend adjustments or other changes visible visually in the PrivateBin web UI, please _always_ attach at least **a screenshot** of how it looks like with your changes applied. You may only omit that for invisible changes or _very_ obvious little changes like fixing typographic mistakes or translations etc.
+If possible, especially for bigger or interactive changes, please also attach a link to a working test instance.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,4 +1,4 @@
-<!-- This is a template for your Pull Request. This are just some suggestions for you. You do not have to use all of them. -->
+<!--Please honor our guidelines as written in the CONTRIBUTING.md file. To emphasize: it is required to disclose the usage of an LLM tool. -->
 
 <!-- If your PR fixes an issue, mention it here. You can also just copy the URL - GitHub will convert it for you.
 If this PR fixes several issues, please prepend each issue url/number with the word "fix"/"fixes" or "close"/"closes" as this automatically closes the issues you mentioned when the PR is merged.
@@ -6,11 +6,12 @@ If this PR fixes several issues, please prepend each issue url/number with the w
 This PR fixes 
 
 ## Changes
-<!-- List all the changes you have done -->
+<!-- List all the changes you have done. This section is just an example and may be removed if irrelevant. -->
 * 
 * 
 
 ## ToDo
+<!-- This section is just an example and may be removed if irrelevant, e.g. if you have completely implemented the PR. -->
 * [ ] 
 * [ ] 
 * [ ] 

.github/workflows/snyk-scan.yml

@@ -25,8 +25,6 @@ jobs:
       github.event.pull_request.author_association == 'OWNER' )
     steps:
       - uses: actions/checkout@v6
-      - name: Install Google Cloud Storage
-        run: composer require --no-update google/cloud-storage && composer update --no-dev
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/php@master
         continue-on-error: true # To make sure that SARIF upload gets called

.github/workflows/test-results.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
        - name: Download and Extract Artifacts
-         uses: dawidd6/action-download-artifact@2536c51d3d126276eb39f74d6bc9c72ac6ef30d3
+         uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732
          with:
           run_id: ${{ github.event.workflow_run.id }}
           path: artifacts

CHANGELOG.md

@@ -4,7 +4,8 @@
 * ADDED: Translations for Swedish & Persian
 * CHANGED: Deduplicate JSON error message translations
 * CHANGED: Refactored translation of exception messages
-* CHANGED: Upgrading libraries to: ip-lib 1.22.0 & polyfill-php80 1.33.0
+* CHANGED: Upgrading libraries to: DOMpurify 3.3.2, ip-lib 1.22.0, polyfill-php80 1.34.0 & zlib 1.3.2
+* CHANGED: Remove obsolete X-XSS-Protection header (#1825)
 * FIXED: Some exceptions not getting translated
 * FIXED: Attachment disappears after a "paste" in the message area (#1731)
 * FIXED: The content format is not reset when creating a new document (#1707)

README.md

@@ -1,4 +1,4 @@
-# [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
+# [![PrivateBin](https://raw.githubusercontent.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
 
 *Current version: 2.0.3*
 

composer.json

@@ -27,7 +27,7 @@
 		"php": "^7.4 || ^8.0",
 		"jdenticon/jdenticon": "2.0.0",
 		"mlocati/ip-lib": "1.22.0",
-		"symfony/polyfill-php80": "1.33.0",
+		"symfony/polyfill-php80": "1.34.0",
 		"yzalis/identicon": "2.0.0"
 	},
 	"suggest" : {

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "ff9fb51d6276695418293a61dd81f489",
+    "content-hash": "93df7ad74baea1e462b30852a480707d",
     "packages": [
         {
             "name": "jdenticon/jdenticon",
@@ -128,16 +128,16 @@
         },
         {
             "name": "symfony/polyfill-php80",
-            "version": "v1.33.0",
+            "version": "v1.34.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php80.git",
-                "reference": "0cc9dd0f17f61d8131e7df6b84bd344899fe2608"
+                "reference": "dfb55726c3a76ea3b6459fcfda1ec2d80a682411"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/0cc9dd0f17f61d8131e7df6b84bd344899fe2608",
-                "reference": "0cc9dd0f17f61d8131e7df6b84bd344899fe2608",
+                "url": "https://api.github.com/repos/symfony/polyfill-php80/zipball/dfb55726c3a76ea3b6459fcfda1ec2d80a682411",
+                "reference": "dfb55726c3a76ea3b6459fcfda1ec2d80a682411",
                 "shasum": ""
             },
             "require": {
@@ -188,7 +188,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php80/tree/v1.33.0"
+                "source": "https://github.com/symfony/polyfill-php80/tree/v1.34.0"
             },
             "funding": [
                 {
@@ -208,7 +208,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-01-02T08:10:11+00:00"
+            "time": "2026-04-10T16:19:22+00:00"
         },
         {
             "name": "yzalis/identicon",
@@ -2079,5 +2079,5 @@
     "platform-overrides": {
         "php": "7.4"
     },
-    "plugin-api-version": "2.6.0"
+    "plugin-api-version": "2.9.0"
 }

i18n/sl.json

@@ -1,6 +1,6 @@
 {
     "PrivateBin": "PrivateBin",
-    "%s is a minimalist, open source online pastebin where the server has zero knowledge of stored data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s je minimalističen, odprtokodni spletni 'pastebin', kjer server ne ve ničesar o prilepljenih podatkih. Podatki so zakodirani/odkodirani %sv brskalniku%s z uporabo 256 bitnega AES.",
+    "%s is a minimalist, open source online pastebin where the server has zero knowledge of stored data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s je minimalističen, odprtokodni spletni 'pastebin', kjer strežnik ne ve ničesar o prilepljenih podatkih. Podatki so šifrirani/dešifrirani %sv brskalniku%s z uporabo 256 bitnega AES.",
     "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "Več informacij na <a href=\"https://privatebin.info/\">spletni strani projekta.</a>.",
     "Because ignorance is bliss": "Ker kar ne veš ne boli.",
     "Document does not exist, has expired or has been deleted.": "Prilepek ne obstaja, mu je potekla življenjska doba, ali pa je izbrisan.",
@@ -154,7 +154,7 @@
     "Your document is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit <kbd>Ctrl</kbd>+<kbd>c</kbd> to copy)</span>": "Tvoj prilepek je dostopen na naslovu: <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Pritisni <kbd>Ctrl</kbd>+<kbd>c</kbd> ali [Cmd] + [c] in skopiraj)</span>",
     "Delete data": "Izbriši podatke",
     "Could not create document: %s": "Ne morem ustvariti prilepka: %s",
-    "Cannot decrypt document: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Ne morem odkodirati prilepka: V URL-ju manjka ključ (A si uporabil krajšalnik URL-jev, ki odstrani del URL-ja?)",
+    "Cannot decrypt document: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Prilepka ni mogoče odkodirati: v URL-ju manjka ključ. Ali je bil uporabljen krajšalnik URL-jev, ki odstrani del URL-ja?",
     "B": "o",
     "kB": "kB",
     "MB": "MB",
@@ -191,17 +191,17 @@
     "+++ no document text +++": "+++ ni besedila dokumenta +++",
     "Could not get document data: %s": "Podatkov dokumenta ni bilo mogoče pridobiti: %s",
     "QR code": "QR koda",
-    "This website is using an insecure HTTP connection! Please use it only for testing.": "To spletno mesto uporablja nezaščiteno povezavo HTTP! Prosimo, uporabite jo samo za testiranje.",
+    "This website is using an insecure HTTP connection! Please use it only for testing.": "To spletno mesto uporablja nezaščiteno povezavo HTTP! Prosim, uporabite jo samo za testiranje.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.": "Za več informacij <a href=\"%s\">glejte ta vnos s pogostimi vprašanji</a>.",
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.": "Vaš brskalnik morda zahteva povezavo HTTPS za podporo API-ja WebCrypto. Poskusite <a href=\"%s\">preklopiti na HTTPS</a>.",
-    "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.": "Vaš brskalnik ne podpira WebAssemblyja, ki se uporablja za stiskanje zlib. Nestisnjene dokumente lahko ustvarite, stisnjenih pa ne morete brati.",
+    "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.": "Vaš brskalnik ne podpira WebAssembly, ki se uporablja za stiskanje z zlib. Lahko ustvarite nestisnjene dokumente, vendar stisnjenih ne morete odpreti.",
     "waiting on user to provide a password": "čakanje na uporabnika, da vnese geslo",
     "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.": "Podatkov ni bilo mogoče dešifrirati. Ste vnesli napačno geslo? Poskusite znova z gumbom na vrhu.",
     "Retry": "Poskusi ponovno",
     "Showing raw text…": "Prikaz surovega besedila…",
     "Notice:": "Obvestilo:",
     "This link will expire after %s.": "Ta povezava bo potekla čez %s.",
-    "This link can only be accessed once, do not use back or refresh button in your browser.": "Do te povezave lahko dostopate samo enkrat, ne uporabljajte gumba za nazaj ali osvežitev v brskalniku.",
+    "This link can only be accessed once, do not use back or refresh button in your browser.": "Ta povezava je dostopna samo enkrat; v brskalniku ne uporabljajte gumba »Nazaj« ali »Osveži«.",
     "Link:": "Povezava:",
     "Recipient may become aware of your timezone, convert time to UTC?": "Prejemnik lahko izve vaš časovni pas in pretvori čas v UTC?",
     "Use Current Timezone": "Uporabi trenutni časovni pas",
@@ -213,14 +213,14 @@
     "URL shortener is enabled by default.": "Okrajševalec URL-jev je privzeto omogočen.",
     "Save document": "Shrani dokument",
     "Your IP is not authorized to create documents.": "Vaš IP ni pooblaščen za ustvarjanje dokumentov.",
-    "Trying to shorten a URL that isn't pointing at our instance.": "Poskus skrajšanja URL, ki ne kaže na naš primerek.",
+    "Trying to shorten a URL that isn't pointing at our instance.": "Poskus krajšanja URL-ja, ki ne kaže na našo instanco.",
     "Proxy error: Proxy URL is empty. This can be a configuration issue, like wrong or missing config keys.": "Napaka posredniškega strežnika: URL posredniškega strežnika je prazen. To je lahko težava s konfiguracijo, na primer napačni ali manjkajoči konfiguracijski ključi.",
     "Proxy error: Error parsing proxy response. This can be a configuration issue, like wrong or missing config keys.": "Napaka posredniškega strežnika: Napaka pri razčlenjevanju odgovora posredniškega strežnika. To je lahko težava s konfiguracijo, na primer napačni ali manjkajoči konfiguracijski ključi.",
     "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.": "Napaka posredniškega strežnika: Slab odgovor. To je lahko težava s konfiguracijo, na primer napačni ali manjkajoči konfiguracijski ključi ali začasni izpad.",
     "This secret message can only be displayed once. Would you like to see it now?": "To skrivno sporočilo je mogoče prikazati samo enkrat. Ali ga želite videti zdaj?",
     "Yes, see it": "Da, pokaži",
     "Dark Mode": "Temni način",
-    "Error compressing document, due to missing WebAssembly support.": "Napaka pri stiskanju dokumenta zaradi manjkajoče podpore za WebAssembly.",
+    "Error compressing document, due to missing WebAssembly support.": "Napaka pri stiskanju pripleka zaradi manjkajoče podpore za WebAssembly.",
     "Error decompressing document, your browser does not support WebAssembly. Please use another browser to view this document.": "Napaka pri razpakiranju dokumenta, vaš brskalnik ne podpira WebAssembly. Za ogled tega dokumenta uporabite drug brskalnik.",
     "Start over": "Začni znova",
     "Document copied to clipboard": "Dokument kopiran v odložišče",

js/common.js

@@ -10,12 +10,12 @@ global.WebCrypto = require('@peculiar/webcrypto').Crypto;
 
 // application libraries to test
 global.$ = global.jQuery = require('./jquery-3.7.1');
-global.zlib = require('./zlib-1.3.1-2').zlib;
+global.zlib = require('./zlib').zlib;
 require('./prettify');
 global.prettyPrint = window.PR.prettyPrint;
 global.prettyPrintOne = window.PR.prettyPrintOne;
 global.showdown = require('./showdown-2.1.0');
-global.DOMPurify = require('./purify-3.3.0');
+global.DOMPurify = require('./purify-3.3.2');
 global.baseX = require('./base-x-5.0.1').baseX;
 global.Legacy = require('./legacy').Legacy;
 require('./privatebin');

js/eslint.config.js

@@ -1,7 +1,7 @@
 const globals = require('globals');
 const { globalIgnores } = require('eslint/config')
 
-module.exports = [globalIgnores(["./*.js", "!./privatebin.js"]), {
+module.exports = [globalIgnores(["./*.*js", "!./privatebin.js"]), {
     languageOptions: {
         globals: {
             ...globals.amd,

js/package-lock.json

@@ -1853,11 +1853,10 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
-      "dev": true,
-      "license": "ISC"
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "dev": true
     },
     "node_modules/foreground-child": {
       "version": "3.3.1",
@@ -5736,9 +5735,9 @@
       }
     },
     "flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
       "dev": true
     },
     "foreground-child": {

js/zlib.js

@@ -9,37 +9,22 @@
         const COMPRESSION_LEVEL = 7;
         const NO_ZLIB_HEADER = -1;
         const CHUNK_SIZE = 32 * 1024;
-        const map = {};
-        const memory = new WebAssembly.Memory({
-            initial: 1,
-            maximum: 1024, // 64MB
-        });
-        const env = {
-            memory,
-            writeToJs(ptr, size) {
-                const o = map[ptr];
-                o.onData(new Uint8Array(memory.buffer, dstPtr, size));
-            },
-            _abort: errno => { console.error(`Error: ${errno}`) },
-            _grow: () => { },
-        };
-        const ins = (await WebAssembly.instantiateStreaming(fetch('js/zlib-1.3.1.wasm'), { env })).instance;
-
-        const srcPtr = ins.exports._malloc(CHUNK_SIZE);
-        const dstPtr = ins.exports._malloc(CHUNK_SIZE);
+        const createModule = (await import('./zlib-1.3.2.js')).default;
+        const Module = await createModule({map: {}});
+        const srcPtr = Module.__malloc(CHUNK_SIZE);
+        const dstPtr = Module.__malloc(CHUNK_SIZE);
 
         class RawDef {
             constructor() {
-                this.zstreamPtr = ins.exports._createDeflateContext(COMPRESSION_LEVEL, NO_ZLIB_HEADER);
-                map[this.zstreamPtr] = this;
+                this.zstreamPtr = Module.__createDeflateContext(COMPRESSION_LEVEL, NO_ZLIB_HEADER);
+                Module.map[this.zstreamPtr] = this;
                 this.offset = 0;
                 this.buff = new Uint8Array(CHUNK_SIZE);
             }
 
             deflate(chunk, flush) {
-                const src = new Uint8Array(memory.buffer, srcPtr, chunk.length);
-                src.set(chunk);
-                ins.exports._deflate(this.zstreamPtr, srcPtr, dstPtr, chunk.length, CHUNK_SIZE, flush);
+                Module.HEAPU8.set(chunk, srcPtr);
+                Module.__deflate(this.zstreamPtr, srcPtr, dstPtr, chunk.length, CHUNK_SIZE, flush);
             }
 
             onData(chunk) {
@@ -53,32 +38,27 @@
             }
 
             destroy() {
-                ins.exports._freeDeflateContext(this.zstreamPtr);
-                delete map[this.zstreamPtr];
+                Module.__freeDeflateContext(this.zstreamPtr);
+                delete Module.map[this.zstreamPtr];
                 this.buff = null;
             }
 
             getBuffer() {
-                const res = new Uint8Array(this.offset);
-                for (let i = 0; i < this.offset; ++i) {
-                    res[i] = this.buff[i];
-                }
-                return res;
+                return this.buff.slice(0, this.offset);
             }
         }
 
         class RawInf {
             constructor() {
-                this.zstreamPtr = ins.exports._createInflateContext(NO_ZLIB_HEADER);
-                map[this.zstreamPtr] = this;
+                this.zstreamPtr = Module.__createInflateContext(NO_ZLIB_HEADER);
+                Module.map[this.zstreamPtr] = this;
                 this.offset = 0;
                 this.buff = new Uint8Array(CHUNK_SIZE);
             }
 
             inflate(chunk) {
-                const src = new Uint8Array(memory.buffer, srcPtr, chunk.length);
-                src.set(chunk);
-                ins.exports._inflate(this.zstreamPtr, srcPtr, dstPtr, chunk.length, CHUNK_SIZE);
+                Module.HEAPU8.set(chunk, srcPtr);
+                Module.__inflate(this.zstreamPtr, srcPtr, dstPtr, chunk.length, CHUNK_SIZE);
             }
 
             onData(chunk) {
@@ -92,17 +72,13 @@
             }
 
             destroy() {
-                ins.exports._freeInflateContext(this.zstreamPtr);
-                delete map[this.zstreamPtr];
+                Module.__freeInflateContext(this.zstreamPtr);
+                delete Module.map[this.zstreamPtr];
                 this.buff = null;
             }
 
             getBuffer() {
-                const res = new Uint8Array(this.offset);
-                for (let i = 0; i < this.offset; ++i) {
-                    res[i] = this.buff[i];
-                }
-                return res;
+                return this.buff.slice(0, this.offset);
             }
         }
 

lib/Configuration.php

@@ -123,9 +123,10 @@ class Configuration
             'js/legacy.js'           => 'sha512-RQEo1hxpNc37i+jz/D9/JiAZhG8GFx3+SNxjYnI7jUgirDIqrCSj6QPAAZeaidditcWzsJ3jxfEj5lVm7ZwTRQ==',
             'js/prettify.js'         => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
             'js/privatebin.js'       => 'sha512-6SwOJniNN8RBmAK7yCt4ly2qYyH8OALxB74/K1AJgw+YnZgRCfTDVq1qY1K5Y2QCxCODGGTpAjTqQRExzCqV7g==',
-            'js/purify-3.3.0.js'     => 'sha512-lsHD5zxs4lu/NDzaaibe27Vd2t7Cy9JQ3qDHUvDfb4oZvKoWDNEhwUY+4bT3R68cGgpgCYp8U1x2ifeVxqurdQ==',
+            'js/purify-3.3.2.js'     => 'sha512-I6igPVpf3xNghG92mujwqB6Zi3LpUTsni4bRuLnMThEGH6BDbsumv7373+AXHzA4OUlxGsym8ZxKFHy4xjYvkQ==',
             'js/showdown-2.1.0.js'   => 'sha512-WYXZgkTR0u/Y9SVIA4nTTOih0kXMEd8RRV6MLFdL6YU8ymhR528NLlYQt1nlJQbYz4EW+ZsS0fx1awhiQJme1Q==',
-            'js/zlib-1.3.1-2.js'     => 'sha512-4gT+v+BkBqdVBbKOO4qKGOAzuay+v1FmOLksS+bMgQ08Oo4xEb3X48Xq1Kv2b4HtiCQA7xq9dFRzxal7jmQI7w==',
+            'js/zlib-1.3.2.js'       => 'sha512-RAhJgxg9siMIA8ky4c10Rc2zUgnK80olHB8Tt1IOYWY4Eh1WmrviQkDn+sgBlb38ZHq3tzufGC41kP360gmosQ==',
+            'js/zlib.js'             => 'sha512-QOaEwssHqHRRcWJ2Un3Kl2Zhyprzl7T8zmsKN2FppFxW3VR+8UChYOx2iuL0HbXK42fuBWJm5PNQJxufulrt/w==',
         ),
     );
 

lib/Controller.php

@@ -416,7 +416,6 @@ class Controller
         header('Referrer-Policy: no-referrer');
         header('X-Content-Type-Options: nosniff');
         header('X-Frame-Options: deny');
-        header('X-XSS-Protection: 1; mode=block');
 
         // label all the expiration options
         $expire = array();

lib/View.php

@@ -62,6 +62,48 @@ class View
         include $path;
     }
 
+    /**
+     * get cache buster query string
+     *
+     * if the file isn't versioned (ends in a digit), adds our own version as a query string
+     *
+     * @access private
+     * @param  string $file
+     */
+    private function _getCacheBuster($file)
+    {
+        if ((bool) preg_match('#[0-9]\.m?js$#', (string) $file)) {
+            return '';
+        }
+        return '?' . rawurlencode($this->_variables['VERSION']);
+    }
+
+    /**
+     * get SRI hash for given file
+     *
+     * @access private
+     * @param  string $file
+     */
+    private function _getSri($file)
+    {
+        if (array_key_exists($file, $this->_variables['SRI'])) {
+            return ' integrity="' . $this->_variables['SRI'][$file] . '"';
+        }
+        return '';
+    }
+
+    /**
+     * echo module preload link tag incl. SRI hash for given script file
+     *
+     * @access private
+     * @param  string $file
+     */
+    private function _linkTag($file)
+    {
+        echo '<link rel="modulepreload" href="', $file,
+        $this->_getCacheBuster($file), '"', $this->_getSri($file), ' />', PHP_EOL;
+    }
+
     /**
      * echo script tag incl. SRI hash for given script file
      *
@@ -71,13 +113,9 @@ class View
      */
     private function _scriptTag($file, $attributes = '')
     {
-        $sri = array_key_exists($file, $this->_variables['SRI']) ?
-            ' integrity="' . $this->_variables['SRI'][$file] . '"' : '';
-        // if the file isn't versioned (ends in a digit), add our own version
-        $cacheBuster = (bool) preg_match('#[0-9]\.js$#', (string) $file) ?
-            '' : '?' . rawurlencode($this->_variables['VERSION']);
         echo '<script ', $attributes,
         ' type="text/javascript" data-cfasync="false" src="', $file,
-        $cacheBuster, '"', $sri, ' crossorigin="anonymous"></script>', PHP_EOL;
+        $this->_getCacheBuster($file), '"', $this->_getSri($file),
+        ' crossorigin="anonymous"></script>', PHP_EOL;
     }
 }

tpl/bootstrap.php

@@ -42,6 +42,7 @@ if ($SYNTAXHIGHLIGHTING) :
 endif;
 ?>
 		<noscript><link type="text/css" rel="stylesheet" href="css/noscript.css" /></noscript>
+		<?php $this->_linkTag('js/zlib-1.3.2.js'); ?>
 		<?php $this->_scriptTag('js/jquery-3.7.1.js', 'defer'); ?>
 <?php
 if ($QRCODE) :
@@ -50,7 +51,7 @@ if ($QRCODE) :
 <?php
 endif;
 ?>
-		<?php $this->_scriptTag('js/zlib-1.3.1-2.js', 'defer'); ?>
+		<?php $this->_scriptTag('js/zlib.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/base-x-5.0.1.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/bootstrap-3.4.1.js', 'defer'); ?>
 <?php
@@ -65,7 +66,7 @@ if ($MARKDOWN) :
 <?php
 endif;
 ?>
-		<?php $this->_scriptTag('js/purify-3.3.0.js', 'defer'); ?>
+		<?php $this->_scriptTag('js/purify-3.3.2.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/legacy.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/privatebin.js', 'defer'); ?>
 		<!-- icon -->

tpl/bootstrap5.php

@@ -25,6 +25,7 @@ if ($SYNTAXHIGHLIGHTING) :
 endif;
 ?>
 		<noscript><link type="text/css" rel="stylesheet" href="css/noscript.css" /></noscript>
+		<?php $this->_linkTag('js/zlib-1.3.2.js'); ?>
 		<?php $this->_scriptTag('js/jquery-3.7.1.js', 'defer'); ?>
 <?php
 if ($QRCODE) :
@@ -33,7 +34,7 @@ if ($QRCODE) :
 <?php
 endif;
 ?>
-		<?php $this->_scriptTag('js/zlib-1.3.1-2.js', 'defer'); ?>
+		<?php $this->_scriptTag('js/zlib.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/base-x-5.0.1.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/bootstrap-5.3.8.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/dark-mode-switch.js', 'defer'); ?>
@@ -49,7 +50,7 @@ if ($MARKDOWN) :
 <?php
 endif;
 ?>
-		<?php $this->_scriptTag('js/purify-3.3.0.js', 'defer'); ?>
+		<?php $this->_scriptTag('js/purify-3.3.2.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/legacy.js', 'defer'); ?>
 		<?php $this->_scriptTag('js/privatebin.js', 'defer'); ?>
 		<!-- icon -->

tst/Bootstrap.php

@@ -341,7 +341,7 @@ class Helper
      */
     public static function updateSubresourceIntegrity(): void
     {
-        foreach (new GlobIterator(PATH . 'js' . DIRECTORY_SEPARATOR . '*.js') as $file) {
+        foreach (new GlobIterator(PATH . 'js' . DIRECTORY_SEPARATOR . '*.*js') as $file) {
             if ($file->getBasename() === 'common.js' || $file->getBasename() === 'eslint.config.js') {
                 continue; // ignore JS unit test bootstrap
             }