diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5b445c64..0aae3a3d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,4 +63,7 @@
* ADDED: Better json checking (including entropy).
* ADDED: Added version to js/css assets URLs in order to prevent some abusive caches to serve an obsolete version of these files when ZeroBin is upgraded.
* "Burn after reading" option has been moved out of Expiration combo to a separate checkbox. Reason is: You can prevent a read-once paste to be available ad vitam eternam on the net.
+ * **Alpha 0.19 (2013-07-05)**:
+ * Corrected XSS security flaw which affected IE<10. Other browsers were not affected.
+ * Corrected spacing display in IE<10.
diff --git a/README.md b/README.md
index 3a1617c1..b9834d90 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-ZeroBin 0.18 Alpha
+ZeroBin 0.19 Alpha
==== THIS IS ALPHA SOFTWARE - USE AT YOUR OWN RISKS ====
diff --git a/css/zerobin.css b/css/zerobin.css
index 1dff3185..4fd66fbe 100644
--- a/css/zerobin.css
+++ b/css/zerobin.css
@@ -1,4 +1,4 @@
-/* ZeroBin 0.18 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */
+/* ZeroBin 0.19 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */
/* CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved.
diff --git a/index.php b/index.php
index a2b8e083..f4ba4dd8 100644
--- a/index.php
+++ b/index.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
// change this, if your php files and data is outside of your webservers document root
diff --git a/js/zerobin.js b/js/zerobin.js
index 8e5fe731..4d5f64aa 100644
--- a/js/zerobin.js
+++ b/js/zerobin.js
@@ -6,7 +6,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
// Immediately start random number generator collector.
@@ -152,6 +152,9 @@ function pasteID() {
return window.location.search.substring(1);
}
+function htmlEntities(str) {
+ return String(str).replace(/&/g, '&').replace(//g, '>').replace(/"/g, '"');
+}
/**
* Set text of a DOM element (required for IE)
* This is equivalent to element.text(text)
@@ -162,8 +165,8 @@ function setElementText(element, text) {
// For IE<10.
if ($('div#oldienotice').is(":visible")) {
// IE<10 does not support white-space:pre-wrap; so we have to do this BIG UGLY STINKING THING.
- element.text(text.replace(/\n/ig,'{BIG_UGLY_STINKING_THING__OH_GOD_I_HATE_IE}'));
- element.html(element.text().replace(/{BIG_UGLY_STINKING_THING__OH_GOD_I_HATE_IE}/ig,"\n
"));
+ var html = htmlEntities(text).replace(/\n/ig,"\r\n
");
+ element.html(''+html+'
');
}
// for other (sane) browsers:
else {
diff --git a/lib/auto.php b/lib/auto.php
index 42ae9e64..7c754212 100644
--- a/lib/auto.php
+++ b/lib/auto.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
spl_autoload_register('auto::loader');
diff --git a/lib/filter.php b/lib/filter.php
index 5380f7e7..623b8bb3 100644
--- a/lib/filter.php
+++ b/lib/filter.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/persistence.php b/lib/persistence.php
index 44483f76..2b145435 100644
--- a/lib/persistence.php
+++ b/lib/persistence.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/serversalt.php b/lib/serversalt.php
index 28b81697..c207df14 100644
--- a/lib/serversalt.php
+++ b/lib/serversalt.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/sjcl.php b/lib/sjcl.php
index 139e91d5..fb572415 100644
--- a/lib/sjcl.php
+++ b/lib/sjcl.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/trafficlimiter.php b/lib/trafficlimiter.php
index 7d9b18eb..89c98eef 100644
--- a/lib/trafficlimiter.php
+++ b/lib/trafficlimiter.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/vizhash16x16.php b/lib/vizhash16x16.php
index b7145a49..fdd99cf0 100644
--- a/lib/vizhash16x16.php
+++ b/lib/vizhash16x16.php
@@ -8,7 +8,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.0.4 beta ZeroBin 0.18
+ * @version 0.0.4 beta ZeroBin 0.19
*/
/**
diff --git a/lib/zerobin.php b/lib/zerobin.php
index 17efa4fa..80f7d0a8 100644
--- a/lib/zerobin.php
+++ b/lib/zerobin.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/zerobin/abstract.php b/lib/zerobin/abstract.php
index 9bf2fdcb..f8bc0632 100644
--- a/lib/zerobin/abstract.php
+++ b/lib/zerobin/abstract.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/zerobin/data.php b/lib/zerobin/data.php
index 6b3195b3..7545f281 100644
--- a/lib/zerobin/data.php
+++ b/lib/zerobin/data.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**
diff --git a/lib/zerobin/db.php b/lib/zerobin/db.php
index 21b5d66f..92ed3546 100644
--- a/lib/zerobin/db.php
+++ b/lib/zerobin/db.php
@@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version 0.18
+ * @version 0.19
*/
/**