diff options
| author | El RIDO <[email protected]> | 2022-03-27 08:27:24 +0200 |
|---|---|---|
| committer | El RIDO <[email protected]> | 2022-03-27 08:27:24 +0200 |
| commit | 75dc346f0fbe81c843ab0aadbfc697ded33c14bd (patch) | |
| tree | 1fd5eba2f56760ded74aa8b92c5e4a94cf36b297 | |
| parent | 36cb37c02963ca822903d571c97c9a6004c79746 (diff) | |
| download | privatebin-75dc346f0fbe81c843ab0aadbfc697ded33c14bd.tar.gz privatebin-75dc346f0fbe81c843ab0aadbfc697ded33c14bd.tar.bz2 privatebin-75dc346f0fbe81c843ab0aadbfc697ded33c14bd.zip | |
be more specific on the base type match and less specific on the subtype, in order to fail-safe (avoid being tricked into not sanitizing - the mime type is a user provided input)
| -rw-r--r-- | js/privatebin.js | 8 | ||||
| -rw-r--r-- | tpl/bootstrap.php | 2 | ||||
| -rw-r--r-- | tpl/page.php | 2 |
3 files changed, 6 insertions, 6 deletions
diff --git a/js/privatebin.js b/js/privatebin.js index a1308620..5f61de13 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -2843,7 +2843,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { // prevents executing embedded scripts when CSP is not set and user // right-clicks/long-taps and opens the SVG in a new tab - prevented // in the preview by use of an img tag, which disables scripts, too - if (mimeType.match(/image\/svg/i)) { + if (mimeType.match(/^image\/.*svg/i)) { const sanitizedData = DOMPurify.sanitize( decodedData, purifySvgConfig @@ -3072,13 +3072,13 @@ jQuery.PrivateBin = (function($, RawDeflate) { me.handleBlobAttachmentPreview = function ($targetElement, blobUrl, mimeType) { if (blobUrl) { attachmentHasPreview = true; - if (mimeType.match(/image\//i)) { + if (mimeType.match(/^image\//i)) { $targetElement.html( $(document.createElement('img')) .attr('src', blobUrl) .attr('class', 'img-thumbnail') ); - } else if (mimeType.match(/video\//i)) { + } else if (mimeType.match(/^video\//i)) { $targetElement.html( $(document.createElement('video')) .attr('controls', 'true') @@ -3089,7 +3089,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { .attr('type', mimeType) .attr('src', blobUrl)) ); - } else if (mimeType.match(/audio\//i)) { + } else if (mimeType.match(/^audio\//i)) { $targetElement.html( $(document.createElement('audio')) .attr('controls', 'true') diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 7fe82e04..e044bbb4 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -73,7 +73,7 @@ endif; ?> <script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script> - <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xdu6IjnYpAF3x74lr5/SLuZSPoWD2Imc/GBZvsIhiUSRltwR734fEMRBrGUEdAzZpAdeIt3sOOZqwPAdYpM31Q==" crossorigin="anonymous"></script> + <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xwttv41FsiFPAKh5r/rq3FGUpcnOaV/Flzg91OIpUz60t1gjE3JRke3YwcHGUm3FrQWahba5/RAqVLYkUvtpFg==" crossorigin="anonymous"></script> <!-- icon --> <link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" /> <link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" /> diff --git a/tpl/page.php b/tpl/page.php index 5823f71b..20792551 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -51,7 +51,7 @@ endif; ?> <script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script> <script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script> - <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xdu6IjnYpAF3x74lr5/SLuZSPoWD2Imc/GBZvsIhiUSRltwR734fEMRBrGUEdAzZpAdeIt3sOOZqwPAdYpM31Q==" crossorigin="anonymous"></script> + <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xwttv41FsiFPAKh5r/rq3FGUpcnOaV/Flzg91OIpUz60t1gjE3JRke3YwcHGUm3FrQWahba5/RAqVLYkUvtpFg==" crossorigin="anonymous"></script> <!-- icon --> <link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" /> <link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" /> |