XSS flaw correction

With a client IE < 10 there was a XSS security flaw. Other browsers were
not affected.
Also corrected spacing display with IE<10.

Author: sebsauvage

CHANGELOG.md

@@ -63,5 +63,7 @@
     * ADDED: Better json checking (including entropy).
     * ADDED: Added version to js/css assets URLs in order to prevent some abusive caches to serve an obsolete version of these files when ZeroBin is upgraded.
     * "Burn after reading" option has been moved out of Expiration combo to a separate checkbox. Reason is: You can prevent a read-once paste to be available ad vitam eternam on the net.
-
+  * **Alpha 0.19 (2013-07-05)**:
+    * Corrected XSS security flaw which affected IE<10. Other browsers were not affected.
+    * Corrected spacing display in IE<10.
 

README.md

@@ -1,4 +1,4 @@
-ZeroBin 0.18 Alpha
+ZeroBin 0.19 Alpha
 
 ==== THIS IS ALPHA SOFTWARE - USE AT YOUR OWN RISKS ====
 

css/zerobin.css

@@ -1,4 +1,4 @@
-/* ZeroBin 0.18 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */
+/* ZeroBin 0.19 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */
 
 
 /*  CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved.

index.php

@@ -3,7 +3,7 @@
 ZeroBin - a zero-knowledge paste bin
 Please see project page: http://sebsauvage.net/wiki/doku.php?id=php:zerobin
 */
-$VERSION='Alpha 0.18';
+$VERSION='Alpha 0.19';
 if (version_compare(PHP_VERSION, '5.2.6') < 0) die('ZeroBin requires php 5.2.6 or above to work. Sorry.');
 require_once "lib/serversalt.php";
 require_once "lib/vizhash_gd_zero.php";

js/zerobin.js

@@ -1,5 +1,5 @@
 /**
- * ZeroBin 0.18
+ * ZeroBin 0.19
  *
  * @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
  * @author sebsauvage
@@ -147,6 +147,9 @@ function pasteID() {
     return window.location.search.substring(1);
 }
 
+function htmlEntities(str) {
+    return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
 /**
  * Set text of a DOM element (required for IE)
  * This is equivalent to element.text(text)
@@ -157,8 +160,8 @@ function setElementText(element, text) {
     // For IE<10.
     if ($('div#oldienotice').is(":visible")) {
         // IE<10 does not support white-space:pre-wrap; so we have to do this BIG UGLY STINKING THING.
-        element.text(text.replace(/\n/ig,'{BIG_UGLY_STINKING_THING__OH_GOD_I_HATE_IE}'));
-        element.html(element.text().replace(/{BIG_UGLY_STINKING_THING__OH_GOD_I_HATE_IE}/ig,"\r\n<br>"));
+        var html = htmlEntities(text).replace(/\n/ig,"\r\n<br>");
+        element.html('<pre>'+html+'</pre>');
     }
     // for other (sane) browsers:
     else {

lib/vizhash_gd_zero.php

@@ -1,5 +1,5 @@
 <?php
-// VizHash_GD 0.0.4 beta ZeroBin 0.18
+// VizHash_GD 0.0.4 beta ZeroBin 0.19
 // Visual Hash implementation in php4+GD, stripped down and modified version for ZeroBin
 // See: http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd
 // This is free software under the zlib/libpng licence