From 28813cd82ae47e556b610da3c7302a6709e27431 Mon Sep 17 00:00:00 2001 From: Sebastien SAUVAGE Date: Fri, 5 Jul 2013 01:14:23 +0200 Subject: [PATCH] XSS flaw correction With a client IE < 10 there was a XSS security flaw. Other browsers were not affected. Also corrected spacing display with IE<10. --- CHANGELOG.md | 4 +++- README.md | 2 +- css/zerobin.css | 2 +- index.php | 2 +- js/zerobin.js | 9 ++++++--- lib/vizhash_gd_zero.php | 2 +- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a4448c1..a63a1e76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,5 +63,7 @@ * ADDED: Better json checking (including entropy). * ADDED: Added version to js/css assets URLs in order to prevent some abusive caches to serve an obsolete version of these files when ZeroBin is upgraded. * "Burn after reading" option has been moved out of Expiration combo to a separate checkbox. Reason is: You can prevent a read-once paste to be available ad vitam eternam on the net. - + * **Alpha 0.19 (2013-07-05)**: + * Corrected XSS security flaw which affected IE<10. Other browsers were not affected. + * Corrected spacing display in IE<10. diff --git a/README.md b/README.md index 3a1617c1..b9834d90 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -ZeroBin 0.18 Alpha +ZeroBin 0.19 Alpha ==== THIS IS ALPHA SOFTWARE - USE AT YOUR OWN RISKS ==== diff --git a/css/zerobin.css b/css/zerobin.css index 29418263..2bd230bb 100644 --- a/css/zerobin.css +++ b/css/zerobin.css @@ -1,4 +1,4 @@ -/* ZeroBin 0.18 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */ +/* ZeroBin 0.19 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */ /* CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved. diff --git a/index.php b/index.php index 7f149a70..062b71a8 100644 --- a/index.php +++ b/index.php @@ -3,7 +3,7 @@ ZeroBin - a zero-knowledge paste bin Please see project page: http://sebsauvage.net/wiki/doku.php?id=php:zerobin */ -$VERSION='Alpha 0.18'; +$VERSION='Alpha 0.19'; if (version_compare(PHP_VERSION, '5.2.6') < 0) die('ZeroBin requires php 5.2.6 or above to work. Sorry.'); require_once "lib/serversalt.php"; require_once "lib/vizhash_gd_zero.php"; diff --git a/js/zerobin.js b/js/zerobin.js index c6952420..a9b6c1d9 100644 --- a/js/zerobin.js +++ b/js/zerobin.js @@ -1,5 +1,5 @@ /** - * ZeroBin 0.18 + * ZeroBin 0.19 * * @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin * @author sebsauvage @@ -147,6 +147,9 @@ function pasteID() { return window.location.search.substring(1); } +function htmlEntities(str) { + return String(str).replace(/&/g, '&').replace(//g, '>').replace(/"/g, '"'); +} /** * Set text of a DOM element (required for IE) * This is equivalent to element.text(text) @@ -157,8 +160,8 @@ function setElementText(element, text) { // For IE<10. if ($('div#oldienotice').is(":visible")) { // IE<10 does not support white-space:pre-wrap; so we have to do this BIG UGLY STINKING THING. - element.text(text.replace(/\n/ig,'{BIG_UGLY_STINKING_THING__OH_GOD_I_HATE_IE}')); - element.html(element.text().replace(/{BIG_UGLY_STINKING_THING__OH_GOD_I_HATE_IE}/ig,"\r\n
")); + var html = htmlEntities(text).replace(/\n/ig,"\r\n
"); + element.html('
'+html+'
'); } // for other (sane) browsers: else { diff --git a/lib/vizhash_gd_zero.php b/lib/vizhash_gd_zero.php index 0e2ae735..fcee46f0 100644 --- a/lib/vizhash_gd_zero.php +++ b/lib/vizhash_gd_zero.php @@ -1,5 +1,5 @@