search

PacketFire / paste-click

Paste text, images, video or any file
http://paste.click
3 stars 1 forks source link

Sanitize syntax highlighting #70

Open bramz opened 5 years ago

bramz commented 5 years ago

When viewing uploaded data with syntax highlighting via /s/ route, data is not being sanitized properly.

To replicate upload code with embedded HTML tags and view with the syntax highlighting route.

             complete: function(token) {
              $html = ['<div class="misc-done">',
                '<label for="url">The URL!</label><input type="text" name="url" class="inside url" value="',
                document.location.href + token.responseJSON.token,
                '" />',
                '</div>'
              ].join('');

Example

screenshot

bramz commented 5 years ago

This is similar to the bug in #56 however the hotfix to fix that does not apply here and characters will need to be escaped/sanitized properly.