Merge branch 'experiment-showdown-2' of https://github.com/PrivateBin/PrivateBin into experiment-showdown-2

As in https://github.com/PrivateBin/PrivateBin/pull/892
To get to know what is bad...

USed DuckDuckGo's beautifier

CHANGELOG.md

@@ -1,23 +1,18 @@
 # PrivateBin version history
 
-  * **1.4 (2022-04-09)**
+  * **1.4 (not yet released)**
-    * ADDED: Translations for Corsican, Estonian, Finnish and Lojban
+    * ADDED: Translations for Estonian and Lojban
     * ADDED: new HTTP headers improving security (#765)
     * ADDED: Download button for paste text (#774)
     * ADDED: Opt-out of federated learning of cohorts (FLoC) (#776)
     * ADDED: Configuration option to exempt IPs from the rate-limiter (#787)
     * ADDED: Google Cloud Storage backend support (#795)
     * ADDED: Oracle database support (#868)
-    * ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
-    * ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
-    * ADDED: Sanitize SVG preview, preventing script execution in instance context
     * CHANGED: Language selection cookie only transmitted over HTTPS (#472)
-    * CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21, Showdown 2.0.3 & zlib 1.2.12
+    * CHANGED: Upgrading libraries to: base-x 4.0.0, DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
     * CHANGED: Removed automatic `.ini` configuration file migration (#808)
     * CHANGED: Removed configurable `dir` for `traffic` & `purge` limiters (#419)
     * CHANGED: Server salt, traffic and purge limiter now stored in the storage backend (#419)
-    * CHANGED: Drop support for attachment download in IE
-    * FIXED: Error when attachments are disabled, but paste with attachment gets displayed
   * **1.3.5 (2021-04-05)**
     * ADDED: Translations for Hebrew, Lithuanian, Indonesian and Catalan
     * ADDED: Make the project info configurable (#681)
@@ -60,7 +55,7 @@
     * FIXED: HTML injection via unescaped attachment filename (#554)
     * FIXED: Password disabling option (#527)
   * **1.2.2 (2020-01-11)**
-    * CHANGED: Upgrading libraries to: bootstrap 3.4.1 (CSS), DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
+    * CHANGED: Upgrading libraries to: bootstrap 3.4.1, DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
     * FIXED: HTML injection via unescaped attachment filename (#554)
   * **1.3.1 (2019-09-22)**
     * ADDED: Translation for Bulgarian (#455)

CREDITS.md

@@ -2,17 +2,18 @@
 
 ## Active contributors
 
-* Simon Rupf - current developer and maintainer
+Simon Rupf - current developer and maintainer  
-* rugk - security review, doc improvment, JS refactoring & various other stuff
+rugk - security review, doc improvment, JS refactoring & various other stuff  
-* R4SAS - python client, compression, blob URI to support larger attachments
+R4SAS - python client, compression, blob URI to support larger attachments
 
 ## Past contributions
 
-* Sébastien Sauvage - original idea and main developer
+Sébastien Sauvage - original idea and main developer
+
 * Alexey Gladkov - syntax highlighting
 * Greg Knaddison - robots.txt
 * MrKooky - HTML5 markup, CSS cleanup
-* Simon Rupf - WebCrypto, unit tests, container images, database backend, MVC, configuration, i18n
+* Simon Rupf - WebCrypto, unit tests, containers images, database backend, MVC, configuration, i18n
 * Hexalyse - Password protection
 * Viktor Stanchev - File upload support
 * azlux - Tab character input support
@@ -54,5 +55,3 @@
 * retiolus - Catalan
 * sarnane - Estonian
 * foxsouns - Lojban
-* Patriccollu di Santa Maria è Sichè - Corsican
-* Markus Mikkonen - Finnish

INSTALL.md

@@ -1,47 +1,39 @@
 # Installation
 
 **TL;DR:** Download the
-[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest)
+[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest) (with the link labelled as „Source code (…)“)
-(with the link labelled as "Source code (…)") and extract it in your web hosts
+and extract it in your web hosts folder where you want to install your PrivateBin
-folder where you want to install your PrivateBin instance. We try to provide a
+instance. We try to provide a mostly safe default configuration, but we urge you to
-mostly safe default configuration, but we urge you to check the
+check the [security section](#hardening-and-security) below and the [configuration
-[security section](#hardening-and-security) below and the
+options](#configuration) to adjust as you see fit.
-[configuration options](#configuration) to adjust as you see fit.
 
-**NOTE:** See our [FAQ entry on securely downloading release files](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project)
+**NOTE:** See [our FAQ](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project) for information how to securely download the PrivateBin release files.
-for more information.
 
-**NOTE:** There is a [ansible](https://ansible.com) role by @e1mo available to
+**NOTE:** There is a [ansible](https://ansible.com) role by @e1mo available to install and configure PrivateBin on your server. It's available on [ansible galaxy](https://galaxy.ansible.com/e1mo/privatebin) ([source code](https://git.sr.ht/~e1mo/ansible-role-privatebin)).
-install and configure PrivateBin on your server. It's available on
-[ansible galaxy](https://galaxy.ansible.com/e1mo/privatebin)
-([source code](https://git.sr.ht/~e1mo/ansible-role-privatebin)).
 
-### Minimal Requirements
+### Minimal requirements
 
 - PHP version 7.0 or above
-  - Or PHP version 5.6 AND _one_ of the following sources of cryptographically
+  - Or PHP version 5.6 AND _one_ of the following sources of cryptographically safe randomness:
-    safe randomness:
+    - [Libsodium](https://download.libsodium.org/libsodium/content/installation/) and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium)
-    - [Libsodium](https://download.libsodium.org/libsodium/content/installation/)
+    - open_basedir access to `/dev/urandom`
-      and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium)
+    - mcrypt extension (mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file.)
-    - `open_basedir` access to `/dev/urandom`
-    - mcrypt extension AND `open_basedir` access to `/dev/urandom`
     - com_dotnet extension
 - GD extension
 - zlib extension
-- some disk space or a database supported by [PDO](https://php.net/manual/book.pdo.php)
+- some disk space or (optionally) a database supported by [PDO](https://php.net/manual/book.pdo.php)
-- ability to create files and folders in the installation directory and the PATH
+- ability to create files and folders in the installation directory and the PATH defined in index.php
-  defined in index.php
+- A web browser with JavaScript support
-- A web browser with JavaScript and (optional) WebAssembly support
 
-## Hardening and Security
+## Hardening and security
 
-### Changing the Path
+### Changing the path
 
-In the index.php you can define a different `PATH`. This is useful to secure
+In the index.php you can define a different `PATH`. This is useful to secure your
-your installation. You can move the configuration, data files, templates and PHP
+installation. You can move the configuration, data files, templates and PHP
 libraries (directories cfg, doc, data, lib, tpl, tst and vendor) outside of your
-document root. This new location must still be accessible to your webserver and
+document root. This new location must still be accessible to your webserver / PHP
-PHP process (see also
+process (see also
 [open_basedir setting](https://secure.php.net/manual/en/ini.core.php#ini.open-basedir)).
 
 > #### PATH Example
@@ -50,25 +42,24 @@ PHP process (see also
 > http://example.com/paste/
 >
 > The full path of PrivateBin on your webserver is:
-> /srv/example.com/htdocs/paste
+> /home/example.com/htdocs/paste
 >
 > When setting the path like this:
 > define('PATH', '../../secret/privatebin/');
 >
-> PrivateBin will look for your includes and data here:
+> PrivateBin will look for your includes / data here:
-> /srv/example.com/secret/privatebin
+> /home/example.com/secret/privatebin
 
 ### Changing the config path only
 
 In situations where you want to keep the PrivateBin static files separate from the
 rest of your data, or you want to reuse the installation files on multiple vhosts,
-you may only want to change the `conf.php`. In this case, you can set the
+you may only want to change the `conf.php`. In this instance, you can set the
 `CONFIG_PATH` environment variable to the absolute path to the `conf.php` file.
 This can be done in your web server's virtual host config, the PHP config, or in
-the index.php, if you choose to customize it.
+the index.php if you choose to customize it.
 
-Note that your PHP process will need read access to the configuration file,
+Note that your PHP process will need read access to the config wherever it may be.
-wherever it may be.
 
 > #### CONFIG_PATH example
 > Setting the value in an Apache Vhost:
@@ -82,27 +73,23 @@ wherever it may be.
 
 ### Transport security
 
-When setting up PrivateBin, also set up HTTPS, if you haven't already. Without
+When setting up PrivateBin, also set up HTTPS, if you haven't already. Without HTTPS
-HTTPS PrivateBin is not secure, as the JavaScript or WebAssembly files could be
+PrivateBin is not secure, as the JavaScript files could be manipulated during transmission.
-manipulated during transmission. For more information on this, see our
+For more information on this, see our [FAQ entry on HTTPS setup](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https).
-[FAQ entry on HTTPS setup recommendations](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https).
 
 ### File-level permissions
 
-After completing the installation, you should make sure, that other users on the
+After completing the installation, you should make sure, other users on the system cannot read the config file or the `data/` directory, as – depending on your configuration – potential secret information are saved there.
-system cannot read the config file or the `data/` directory, as – depending on
-your configuration – potentially sensitive information may be stored in there.
 
-See our [FAQ entry on permissions](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin)
+See [this FAQ item](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin) for a detailed guide on how to "harden" the permissions of files and folders.
-for a detailed guide on how to "harden" access to files and folders.
 
 ## Configuration
 
 In the file `cfg/conf.php` you can configure PrivateBin. A `cfg/conf.sample.php`
-is provided containing all options and their default values. You can copy it to
+is provided containing all options and default values. You can copy it to
-`cfg/conf.php` and change it as needed. Alternatively you can copy it anywhere
+`cfg/conf.php` and adapt it as needed. Alternatively you can copy it anywhere and
-and set the `CONFIG_PATH` environment variable (see above notes). The config
+set the `CONFIG_PATH` environment variable (see above notes). The config file is
-file is divided into multiple sections, which are enclosed in square brackets.
+divided into multiple sections, which are enclosed in square brackets.
 
 In the `[main]` section you can enable or disable the discussion feature, set
 the limit of stored pastes and comments in bytes. The `[traffic]` section lets
@@ -120,28 +107,28 @@ A `robots.txt` file is provided in the root dir of PrivateBin. It disallows all
 robots from accessing your pastes. It is recommend to place it into the root of
 your web directory if you have installed PrivateBin in a subdirectory. Make sure
 to adjust it, so that the file paths match your installation. Of course also
-adjust the file, if you already use a `robots.txt`.
+adjust the file if you already use a `robots.txt`.
 
 A `.htaccess.disabled` file is provided in the root dir of PrivateBin. It blocks
 some known robots and link-scanning bots. If you use Apache, you can rename the
 file to `.htaccess` to enable this feature. If you use another webserver, you
 have to configure it manually to do the same.
 
-### On using Cloudflare
+### When using Cloudflare
 
-If you want to use PrivateBin behind Cloudflare, make sure you have disabled the
+If you want to use PrivateBin behind Cloudflare, make sure you have disabled the Rocket
-Rocket loader and unchecked "Javascript" for Auto Minify, found in your domain
+loader and unchecked "Javascript" for Auto Minify, found in your domain settings,
-settings, under "Speed". More information can be found in our
+under "Speed". (More information
-[FAQ entry on Cloudflare related issues](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection).
+[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection))
 
-### Using a Database Instead of Flat Files
+### Using a database instead of flat files
 
 In the configuration file the `[model]` and `[model_options]` sections let you
 configure your favourite way of storing the pastes and discussions on your
 server.
 
 `Filesystem` is the default model, which stores everything in files in the
-data folder. This is the recommended setup for most sites on single hosts.
+data folder. This is the recommended setup for most sites.
 
 Under high load, in distributed setups or if you are not allowed to store files
 locally, you might want to switch to the `Database` model. This lets you
@@ -155,26 +142,21 @@ to use a prefix for
 The table prefix option is called `tbl`.
 
 > #### Note
-> The `Database` model has only been tested with SQLite, MariaDB/MySQL and
+> The `Database` model has only been tested with SQLite, MySQL and PostgreSQL,
-> PostgreSQL, although it would not be recommended to use SQLite in a production
+> although it would not be recommended to use SQLite in a production environment.
-> environment. If you gain any experience running PrivateBin on other RDBMS,
+> If you gain any experience running PrivateBin on other RDBMS, please let us
-> please let us know.
+> know.
 
-The following GRANTs (privileges) are required for the PrivateBin user in
+The following GRANTs (privileges) are required for the PrivateBin user in **MySQL**. In normal operation:
-**MariaDB/MySQL**. In normal operation:
 - INSERT, SELECT, DELETE on the paste and comment tables
 - SELECT on the config table
 
-If you want PrivateBin to handle table creation (when you create the first paste)
+If you want PrivateBin to handle table creation (when you create the first paste) and updates (after you update PrivateBin to a new release), you need to give the user these additional privileges:
-and updates (after you update PrivateBin to a new release), you need to give the
-user these additional privileges:
 - CREATE, INDEX and ALTER on the database
 - INSERT and UPDATE on the config table
 
-For reference or if you want to create the table schema for yourself to avoid
+For reference or if you want to create the table schema for yourself to avoid having to give PrivateBin too many permissions (replace
-having to give PrivateBin too many permissions (replace `prefix_` with your own
+`prefix_` with your own table prefix and create the table schema with your favourite MySQL console):
-table prefix and create the table schema with your favourite MariaDB/MySQL
-client):
 
 ```sql
 CREATE TABLE prefix_paste (
@@ -205,7 +187,7 @@ CREATE INDEX parent ON prefix_comment(pasteid);
 CREATE TABLE prefix_config (
     id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
 );
-INSERT INTO prefix_config VALUES('VERSION', '1.4.0');
+INSERT INTO prefix_config VALUES('VERSION', '1.3.5');
 ```
 
 In **PostgreSQL**, the `data`, `attachment`, `nickname` and `vizhash` columns
@@ -217,11 +199,11 @@ to be `CLOB` and not `BLOB` or `MEDIUMBLOB`, the `id` column in the `config`
 table needs to be `VARCHAR2(16)` and the `meta` column in the `paste` table
 and the `value` column in the `config` table need to be `VARCHAR2(4000)`.
 
-#### Using Google Cloud Storage
+### Using Google Cloud Storage
 If you want to deploy PrivateBin in a serverless manner in the Google Cloud, you
 can choose the `GoogleCloudStorage` as backend. To use this backend, you create
 a GCS bucket and specify the name as the model option `bucket`. Alternatively,
-you can set the name through the environment variable `PRIVATEBIN_GCS_BUCKET`.
+you can set the name through the environment variable PASTEBIN_GCS_BUCKET.
 
 The default prefix for pastes stored in the bucket is `pastes`. To change the
 prefix, specify the option `prefix`.

Makefile

@@ -1,7 +1,7 @@
 .PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help
 
-CURRENT_VERSION = 1.4.0
+CURRENT_VERSION = 1.3.5
-VERSION ?= 1.4.1
+VERSION ?= 1.3.6
 VERSION_FILES = index.php cfg/ *.md css/ i18n/ img/ js/package.json js/privatebin.js lib/ Makefile tpl/ tst/
 REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g")
 REGEX_VERSION := $(shell echo $(VERSION) | sed "s/\./\\\./g")
@@ -33,13 +33,12 @@ increment: ## Increment and commit new version number, set target version using
 	do \
 		sed -i "s/$(REGEX_CURRENT_VERSION)/$(REGEX_VERSION)/g" $$F; \
 	done
-	cd tst && phpunit --no-coverage && cd ..
+	git add $(VERSION_FILES)
-	git add $(VERSION_FILES) tpl/
 	git commit -m "incrementing version"
 
 sign: ## Sign a release.
 	git tag $(VERSION)
-	git push origin $(VERSION)
+	git push --tags
 	signrelease.sh
 
 test: test-js test-php ## Run all unit tests.

README.md

@@ -1,27 +1,25 @@
 # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
 
-*Current version: 1.4.0*
+*Current version: 1.3.5*
 
-**PrivateBin** is a minimalist, open source online
+**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin)
-[pastebin](https://en.wikipedia.org/wiki/Pastebin)
 where the server has zero knowledge of pasted data.
 
-Data is encrypted and decrypted in the browser using 256bit AES in
+Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
-[Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
 
 This is a fork of ZeroBin, originally developed by
-[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). PrivateBin was
+[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). ZeroBin was refactored
-refactored to allow easier and cleaner extensions and has many additional
+to allow easier and cleaner extensions. PrivateBin has many more features than the
-features. It is, however, still fully compatible to the original ZeroBin 0.19
+original ZeroBin. It is, however, still fully compatible to the original ZeroBin 0.19
 data storage scheme. Therefore, such installations can be upgraded to PrivateBin
 without losing any data.
 
 ## What PrivateBin provides
 
 + As a server administrator you don't have to worry if your users post content
-  that is considered illegal in your country. You have plausible deniability of
+  that is considered illegal in your country. You have no knowledge of any
-  any of the pastes content. If requested or enforced, you can delete any paste
+  of the pastes content. If requested or enforced, you can delete any paste from
-  from your system.
+  your system.
 
 + Pastebin-like system to store text documents, code samples, etc.
 
@@ -33,13 +31,13 @@ without losing any data.
 
 ## What it doesn't provide
 
-- As a user you have to trust the server administrator not to inject any
+- As a user you have to trust the server administrator not to inject any malicious
-  malicious code. For security, a PrivateBin installation *has to be used over*
+  javascript code.
-  *HTTPS*! Otherwise you would also have to trust your internet provider, and
+  For basic security, the PrivateBin installation *has to provide HTTPS*!
-  any jurisdiction the traffic passes through. Additionally the instance should
+  Otherwise you would also have to trust your internet provider, and any country
-  be secured by
+  the traffic passes through.
-  [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It can
+  Additionally the instance should be secured by
-  use traditional certificate authorities and/or use a
+  [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It can use traditional certificate authorities and/or use
   [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
   protected
   [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
@@ -47,17 +45,18 @@ without losing any data.
 
 - The "key" used to encrypt the paste is part of the URL. If you publicly post
   the URL of a paste that is not password-protected, anyone can read it.
-  Use a password if you want your paste to remain private. In that case, make
+  Use a password if you want your paste to be private. In this case, make sure to
-  sure to use a strong password and share it privately and end-to-end-encrypted.
+  use a strong password and only share it privately and end-to-end-encrypted.
 
-- A server admin can be forced to hand over access logs to the authorities.
+- A server admin might be forced to hand over access logs to the authorities.
   PrivateBin encrypts your text and the discussion contents, but who accessed a
   paste (first) might still be disclosed via access logs.
 
 - In case of a server breach your data is secure as it is only stored encrypted
-  on the server. However, the server could be absused or the server admin could
+  on the server. However, the server could be misused or the server admin could
-  be legally forced into sending malicious code to their users, which logs
+  be legally forced into sending malicious JavaScript to all web users, which
-  the decryption key and sends it to a server when a user accesses a paste.
+  grabs the decryption key and sends it to the server when a user accesses a
+  PrivateBin.  
   Therefore, do not access any PrivateBin instance if you think it has been
   compromised. As long as no user accesses this instance with a previously
   generated URL, the content can't be decrypted.
@@ -78,8 +77,8 @@ file](https://github.com/PrivateBin/PrivateBin/wiki/Configuration):
 * Syntax highlighting for source code using prettify.js, including 4 prettify
   themes
 
-* File upload support, image, media and PDF preview (disabled by default, size
+* File upload support, images get displayed (disabled by default, possibility
-  limit adjustable)
+  to adjust size limit)
 
 * Templates: By default there are bootstrap CSS, darkstrap and "classic ZeroBin"
   to choose from and it is easy to adapt these to your own websites layout or
@@ -90,7 +89,7 @@ file](https://github.com/PrivateBin/PrivateBin/wiki/Configuration):
 
 * Language selection (disabled by default, as it uses a session cookie)
 
-* QR code for paste URLs, to easily transfer them over to mobile devices
+* QR code generation of URL, to easily transfer pastes over to a mobile device
 
 ## Further resources
 

SECURITY.md

@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.4.0   | :heavy_check_mark: |
+| 1.3.5   | :heavy_check_mark: |
-| < 1.4.0 | :x:                |
+| < 1.3.5 | :x:                |
 
 ## Reporting a Vulnerability
 

cfg/conf.sample.php

@@ -87,7 +87,7 @@ languageselection = false
 ;   async functions and display an error if not and for Chrome to enable
 ;   webassembly support (used for zlib compression). You can remove it if Chrome
 ;   doesn't need to be supported and old browsers don't need to be warned.
-; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
 
 ; stay compatible with PrivateBin Alpha 0.19, less secure
 ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
@@ -135,17 +135,9 @@ markdown = "Markdown"
 ; Set this to 0 to disable rate limiting.
 limit = 10
 
-; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
+; Set ips (v4|v6) which should be exempted for the rate-limit. CIDR also supported. Needed to be comma separated.
-; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
+; Unset for enabling and invalid values will be ignored
-; be exempted, the list needs to be comma separated. Leave unset to disable
+; eg: exemptedIp = '1.2.3.4,10.10.10/24'
-; exemptions.
-; exempted = "1.2.3.4,10.10.10/24"
-
-; (optional) If you want only some source IP addresses (v4 or v6) or subnets
-; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
-; ignored. If multiple values are to be exempted, the list needs to be comma
-; separated. Leave unset to allow anyone to create pastes.
-; creators = "1.2.3.4,10.10.10/24"
 
 ; (optional) if your website runs behind a reverse proxy or load balancer,
 ; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR

css/bootstrap/privatebin.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 body {

css/noscript.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 /* When there is no script at all other */

css/privatebin.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 /*  CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved.

i18n/ar.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/bg.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/ca.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/co.json

@@ -1,190 +0,0 @@
-{
-    "PrivateBin": "PrivateBin",
-    "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s hè un serviziu in linea di tipu « pastebin » (ghjestiunariu d’appiccicu di pezzi di testu è di codice di fonte) minimalistu è à fonte aperta induve u servitore ùn hà micca cunnuscenza di i dati mandati. I dati sò cifrati è dicifrati %sin u navigatore%s cù una cifratura AES di 256 bit.",
-    "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "Più d’infurmazione annant’à a <a href=\"https://privatebin.info/\">pagina di u prughjettu</a>.",
-    "Because ignorance is bliss": "Perchè l’ignurenza hè una campa",
-    "en": "co",
-    "Paste does not exist, has expired or has been deleted.": "L’appiccicu ùn esiste micca, hè scadutu o hè statu squassatu.",
-    "%s requires php %s or above to work. Sorry.": "Per disgrazzia, %s richiede php %s o più recente per funziunà.",
-    "%s requires configuration section [%s] to be present in configuration file.": "%s richiede a presenza di a sezzione di cunfigurazione [%s] in a schedariu di cunfigurazione.",
-    "Please wait %d seconds between each post.": [
-        "Aspettate %d seconda trà dui publicazioni.",
-        "Aspettate %d seconde trà dui publicazioni.",
-        "Aspettate %d seconde trà dui publicazioni.",
-        "Aspettate %d seconde trà dui publicazioni."
-    ],
-    "Paste is limited to %s of encrypted data.": "L’appiccicu hè limitatu à %s di dati cifrati.",
-    "Invalid data.": "Dati inaccetevule.",
-    "You are unlucky. Try again.": "Pruvate torna, Serete più furtunati.",
-    "Error saving comment. Sorry.": "Per disgrazzia, ci hè un sbagliu à l’arregistramentu di u cummentu.",
-    "Error saving paste. Sorry.": "Per disgrazzia, ci hè un sbagliu à l’arregistramentu di l’appiccicu.",
-    "Invalid paste ID.": "N° di l’appiccicu inaccettevule.",
-    "Paste is not of burn-after-reading type.": "L’appiccicu ùn hè micca di tipu « Squassà dopu a lettura ».",
-    "Wrong deletion token. Paste was not deleted.": "Gettone di squassatura incurrettu. L’appiccicu ùn hè micca statu squassatu.",
-    "Paste was properly deleted.": "L’appiccicu hè statu squassatu currettamente.",
-    "JavaScript is required for %s to work. Sorry for the inconvenience.": "JavaScript hè richiestu per fà funziunà %s. Scusate per stu penseru.",
-    "%s requires a modern browser to work.": "%s richiede un navigatore mudernu per funziunà.",
-    "New": "Novu",
-    "Send": "Mandà",
-    "Clone": "Duppione",
-    "Raw text": "Testu grossu",
-    "Expires": "Scadenza",
-    "Burn after reading": "Squassà dopu a lettura",
-    "Open discussion": "Apre una chjachjarata",
-    "Password (recommended)": "Parolla d’intesa (ricumandata)",
-    "Discussion": "Chjachjarata",
-    "Toggle navigation": "Invertisce a navigazione",
-    "%d seconds": [
-        "%d seconda",
-        "%d seconde",
-        "%d seconde",
-        "%d seconde"
-    ],
-    "%d minutes": [
-        "%d minutu",
-        "%d minuti",
-        "%d minuti",
-        "%d minuti"
-    ],
-    "%d hours": [
-        "%d ora",
-        "%d ore",
-        "%d ore",
-        "%d ore"
-    ],
-    "%d days": [
-        "%d ghjornu",
-        "%d ghjorni",
-        "%d ghjorni",
-        "%d ghjorni"
-    ],
-    "%d weeks": [
-        "%d settimana",
-        "%d settimane",
-        "%d settimane",
-        "%d settimane"
-    ],
-    "%d months": [
-        "%d mese",
-        "%d mesi",
-        "%d mesi",
-        "%d mesi"
-    ],
-    "%d years": [
-        "%d annu",
-        "%d anni",
-        "%d anni",
-        "%d anni"
-    ],
-    "Never": "Mai",
-    "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Nota : Què hè un serviziu di prova ; i dati ponu esse squassati à ogni mumentu. Parechji catorni anu da esse tombi s’è vò impiegate troppu stu serviziu.",
-    "This document will expire in %d seconds.": [
-        "Stu ducumentu serà scadutu in %d seconda.",
-        "Stu ducumentu serà scadutu in %d seconde.",
-        "Stu ducumentu serà scadutu in %d seconde.",
-        "Stu ducumentu serà scadutu in %d seconde."
-    ],
-    "This document will expire in %d minutes.": [
-        "Stu ducumentu serà scadutu in %d minutu.",
-        "Stu ducumentu serà scadutu in %d minuti.",
-        "Stu ducumentu serà scadutu in %d minuti.",
-        "Stu ducumentu serà scadutu in %d minuti."
-    ],
-    "This document will expire in %d hours.": [
-        "Stu ducumentu serà scadutu in %d ora.",
-        "Stu ducumentu serà scadutu in %d ore.",
-        "Stu ducumentu serà scadutu in %d ore.",
-        "Stu ducumentu serà scadutu in %d ore."
-    ],
-    "This document will expire in %d days.": [
-        "Stu ducumentu serà scadutu in %d ghjornu.",
-        "Stu ducumentu serà scadutu in %d ghjorni.",
-        "Stu ducumentu serà scadutu in %d ghjorni.",
-        "Stu ducumentu serà scadutu in %d ghjorni."
-    ],
-    "This document will expire in %d months.": [
-        "Stu ducumentu serà scadutu in %d mese.",
-        "Stu ducumentu serà scadutu in %d mesi.",
-        "Stu ducumentu serà scadutu in %d mesi.",
-        "Stu ducumentu serà scadutu in %d mesi."
-    ],
-    "Please enter the password for this paste:": "Stampittate a parolla d’intesa per st’appiccicu :",
-    "Could not decrypt data (Wrong key?)": "Ùn si pò micca dicifrà i dati ; seria incurretta a chjave ?",
-    "Could not delete the paste, it was not stored in burn after reading mode.": "Ùn si pò micca squassà l’appiccicu, ùn hè micca statu in u modu « Squassà dopu a lettura ».",
-    "FOR YOUR EYES ONLY. Don't close this window, this message can't be displayed again.": "SOLU CÙ L’OCHJI. Ùn chjudite micca sta finestra, stu messaghju un puderà più esse affissatu torna.",
-    "Could not decrypt comment; Wrong key?": "Ùn si pò micca dicifrà u cummentu. Seria incurretta a chjave ?",
-    "Reply": "Risponde",
-    "Anonymous": "Anonimu",
-    "Avatar generated from IP address": "Avatar ingeneratu da l’indirizzu IP",
-    "Add comment": "Aghjunghje un cummentu",
-    "Optional nickname…": "Cugnome ozzionale…",
-    "Post comment": "Impustà u cummentu",
-    "Sending comment…": "Inviu di u cummentu…",
-    "Comment posted.": "Cummentu inviatu.",
-    "Could not refresh display: %s": "Ùn si pò micca attualizà l’affissera : %s",
-    "unknown status": "statu scunnisciutu",
-    "server error or not responding": "sbagliu di u servitore o u servitore ùn risponde micca",
-    "Could not post comment: %s": "Ùn si pò micca impustà u cummentu : %s",
-    "Sending paste…": "Inviu di l’appiccicu…",
-    "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>": "U vostru appiccicu si trova à l’indirizzu<a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Appughjate [Ctrl]+[c] per cupià u liame)</span>",
-    "Delete data": "Squassà i dati",
-    "Could not create paste: %s": "Ùn si pò micca creà l’appiccicu : %s",
-    "Cannot decrypt paste: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Ùn si pò micca dicifrà l’appiccicu : A chjave di dicifratura hè assente in l’indirizzu. Averiate impiegatu un orientadore d’indirizzu o un riduttore chì ammuzzeghja una parte di l’indirizzu ?",
-    "B": "o",
-    "KiB": "Ko",
-    "MiB": "Mo",
-    "GiB": "Go",
-    "TiB": "To",
-    "PiB": "Po",
-    "EiB": "Eo",
-    "ZiB": "Zo",
-    "YiB": "Yo",
-    "Format": "Furmatu",
-    "Plain Text": "Testu in chjaru",
-    "Source Code": "Codice di fonte",
-    "Markdown": "Markdown",
-    "Download attachment": "Scaricà a pezza aghjunta",
-    "Cloned: '%s'": "Duppiatu : « %s »",
-    "The cloned file '%s' was attached to this paste.": "U schedariu duppiatu  « %s » hè statu aghjuntu à st’appiccicu.",
-    "Attach a file": "Aghjunghje un schedariu",
-    "alternatively drag & drop a file or paste an image from the clipboard": "in alternanza, sguillà è depone un schedariu o incullà una fiura da u preme’papei",
-    "File too large, to display a preview. Please download the attachment.": "Schedariu troppu maiò per affissà una fighjulata. Scaricate a pezza aghjunta.",
-    "Remove attachment": "Caccià a pezza aghjunta",
-    "Your browser does not support uploading encrypted files. Please use a newer browser.": "U vostru navigatore ùn accetta micca l’inviu di i schedarii cifrati. Impiegate un navigatore più recente.",
-    "Invalid attachment.": "A pezza aghjunta hè inaccettevule.",
-    "Options": "Ozzioni",
-    "Shorten URL": "Ammuzzà l’indirizzu",
-    "Editor": "Editore",
-    "Preview": "Fighjulata",
-    "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.": "%s richiede chì a variabile PATH si compii cù « %s ». Mudificate a variabile PATH in u vostru index.php.",
-    "Decrypt": "Dicifrà",
-    "Enter password": "Stampittate a parolla d’intesa",
-    "Loading…": "Caricamentu…",
-    "Decrypting paste…": "Dicifratura di l’appiccicu…",
-    "Preparing new paste…": "Approntu di u novu appiccicu…",
-    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.": "S’è stu messaghju ùn smarisce micca, lighjite <a href=\"%s\">sta FAQ per ottene infurmazioni annant’à a risuluzione di i prublemi</a>.",
-    "+++ no paste text +++": "+++ nisunu testu incullatu +++",
-    "Could not get paste data: %s": "Ùn si pò micca ottene i dati di l’appiccicu : %s",
-    "QR code": "Codice QR",
-    "This website is using an insecure HTTP connection! Please use it only for testing.": "Stu situ web impiegheghja una cunnessione HTTP non sicura ! impiegatelu solu per una prova.",
-    "For more information <a href=\"%s\">see this FAQ entry</a>.": "Per sapene di più, <a href=\"%s\">lighjite sta rubrica di a FAQ</a>.",
-    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.": "U vostru navigatore pò richiede una cunnessione HTTPS per permette l’usu di l’API WebCrypto. Pruvate di <a href=\"%s\">passà à HTTPS</a>.",
-    "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.": "U vostru navigatore ùn accetta micca WebAssembly, impiegatu per a cumpressione zlib. Pudete creà ducumenti micca cumpressi, ma ùn pudete micca leghje quelli chì sò cumpressi.",
-    "waiting on user to provide a password": "in attesa di l’utilizatore per furnisce una parolla d’intesa",
-    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.": "Ùn si pò micca dicifrà i dati. Avete stampittatu una parolla d’intesa incurretta ? Pruvate torna cù u buttone insù.",
-    "Retry": "Pruvà torna",
-    "Showing raw text…": "Affissera di u testu grossu…",
-    "Notice:": "Avertimentu :",
-    "This link will expire after %s.": "Stu liame hà da scade dopu à %s.",
-    "This link can only be accessed once, do not use back or refresh button in your browser.": "Stu liame pò esse accessu solu una volta, ùn impiegate micca i buttoni Precedente o Attualizà di u vostru navigatore.",
-    "Link:": "Liame :",
-    "Recipient may become aware of your timezone, convert time to UTC?": "U destinatariu pò cunnnosce u vostru fusu orariu. Vulete cunvertisce l’ora in u furmatu UTC ?",
-    "Use Current Timezone": "Impiegà u fusu orariu attuale",
-    "Convert To UTC": "Cunvertisce in UTC",
-    "Close": "Chjode",
-    "Encrypted note on PrivateBin": "Nota cifrata nant’à PrivateBin",
-    "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visitate stu liame per vede a nota. Date l’indirizzu à qualunque li permette d’accede à a nota dinù.",
-    "URL shortener may expose your decrypt key in URL.": "Un ammuzzatore d’indirizzu pò palisà a vostra chjave di dicifratura in l’indirizzu.",
-    "Save paste": "Arregistrà l’appiccicu",
-    "Your IP is not authorized to create pastes.": "U vostru indirizzu IP ùn hè micca auturizatu à creà l’appiccichi."
-}

i18n/cs.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Šifrovaná poznámka ve službě PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Navštivte tento odkaz pro zobrazení poznámky. Přeposláním URL umožníte také jiným lidem přístup.",
     "URL shortener may expose your decrypt key in URL.": "Zkracovač URL může odhalit váš dešifrovací klíč v URL.",
-    "Save paste": "Uložit příspěvek",
+    "Save paste": "Uložit příspěvek"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/de.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Verschlüsselte Notiz auf PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Besuche diesen Link um das Dokument zu sehen. Wird die URL an eine andere Person gegeben, so kann diese Person ebenfalls auf dieses Dokument zugreifen.",
     "URL shortener may expose your decrypt key in URL.": "Der URL-Verkürzer kann den Schlüssel in der URL enthüllen.",
-    "Save paste": "Text speichern",
+    "Save paste": "Text speichern"
-    "Your IP is not authorized to create pastes.": "Deine IP ist nicht berechtigt, Texte zu erstellen."
 }

i18n/el.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/en.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/es.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Nota cifrada en PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visite este enlace para ver la nota. Dar la URL a cualquier persona también les permite acceder a la nota.",
     "URL shortener may expose your decrypt key in URL.": "El acortador de URL puede exponer su clave de descifrado en el URL.",
-    "Save paste": "Guardar \"paste\"",
+    "Save paste": "Guardar \"paste\""
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/et.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Krüpteeritud kiri PrivateBin-is",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Kirja nägemiseks külasta seda linki. Teistele URL-i andmine lubab ka neil ligi pääseda kirjale.",
     "URL shortener may expose your decrypt key in URL.": "URL-i lühendaja võib paljastada sinu dekrüpteerimisvõtme URL-is.",
-    "Save paste": "Salvesta kleebe",
+    "Save paste": "Salvesta kleebe"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/fi.json

@@ -15,11 +15,11 @@
     ],
     "Paste is limited to %s of encrypted data.": "Paste on rajoitettu kokoon %s salattua dataa.",
     "Invalid data.": "Virheellinen data.",
-    "You are unlucky. Try again.": "Olet epäonnekas. Yritä uudelleen.",
+    "You are unlucky. Try again.": "Olet epäonnekas. Yritä uudelleen",
     "Error saving comment. Sorry.": "Virhe kommenttia tallentaessa. Anteeksi.",
     "Error saving paste. Sorry.": "Virhe pastea tallentaessa. Anteeksi.",
     "Invalid paste ID.": "Virheellinen paste ID.",
-    "Paste is not of burn-after-reading type.": "Paste ei ole polta-lukemisen-jälkeen-tyyppiä.",
+    "Paste is not of burn-after-reading type.": "Paste ei ole polta-lukemisen-jälkeen-tyyppiä",
     "Wrong deletion token. Paste was not deleted.": "Virheellinen poistotunniste. Pastea ei poistettu.",
     "Paste was properly deleted.": "Paste poistettiin kunnolla.",
     "JavaScript is required for %s to work. Sorry for the inconvenience.": "JavaScriptiä tarvitaan jotta %s toimisi. Anteeksi haitasta.",
@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Salattu viesti PrivateBinissä",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Käy tässä linkissä nähdäksesi viestin. URL:n antaminen kenellekään antaa heidänkin päästä katsomeen viestiä. ",
     "URL shortener may expose your decrypt key in URL.": "URL-lyhentäjä voi paljastaa purkuavaimesi URL:ssä.",
-    "Save paste": "Tallenna paste",
+    "Save paste": "Tallenna paste"
-    "Your IP is not authorized to create pastes.": "IP:llesi ei ole annettu oikeutta luoda pasteja."
 }

i18n/fr.json

@@ -2,7 +2,7 @@
     "PrivateBin": "PrivateBin",
     "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s est un 'pastebin' (ou gestionnaire d'extraits de texte et de code source) minimaliste et open source, dans lequel le serveur n'a aucune connaissance des données envoyées. Les données sont chiffrées/déchiffrées %sdans le navigateur%s par un chiffrement AES 256 bits.",
     "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "Plus d'informations sur <a href=\"https://privatebin.info/\">la page du projet</a>.",
-    "Because ignorance is bliss": "Vivons heureux, vivons cachés",
+    "Because ignorance is bliss": "Parce que l'ignorance c'est le bonheur",
     "en": "fr",
     "Paste does not exist, has expired or has been deleted.": "Le paste n'existe pas, a expiré, ou a été supprimé.",
     "%s requires php %s or above to work. Sorry.": "Désolé, %s nécessite php %s ou supérieur pour fonctionner.",
@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Message chiffré sur PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visiter ce lien pour voir la note. Donner l'URL à une autre personne lui permet également d'accéder à la note.",
     "URL shortener may expose your decrypt key in URL.": "Raccourcir l'URL peut exposer votre clé de déchiffrement dans l'URL.",
-    "Save paste": "Sauver le paste",
+    "Save paste": "Sauver le paste"
-    "Your IP is not authorized to create pastes.": "Votre adresse IP n'est pas autorisée à créer des pastes."
 }

i18n/he.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "הערה מוצפנת ב־PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "נא לבקר בקישור כדי לצפות בהערה. מסירת הקישור לאנשים כלשהם תאפשר גם להם לגשת להערה.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/hi.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/hu.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Titkosított jegyzet a PrivateBinen",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Látogasd meg ezt a hivatkozást a bejegyzés megtekintéséhez. Ha mások számára is megadod ezt a linket, azzal hozzáférnek ők is.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/id.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Catatan ter-ekrip di PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Kunjungi tautan ini untuk melihat catatan. Memberikan alamat URL pada siapapun juga, akan mengizinkan mereka untuk mengakses catatan, so pasti gitu loh Kaka.",
     "URL shortener may expose your decrypt key in URL.": "Pemendek URL mungkin akan menampakkan kunci dekrip Anda dalam URL.",
-    "Save paste": "Simpan paste",
+    "Save paste": "Simpan paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/it.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Nota crittografata su PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visita questo collegamento per vedere la nota. Dare l'URL a chiunque consente anche a loro di accedere alla nota.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener può esporre la tua chiave decrittografata nell'URL.",
-    "Save paste": "Salva il messagio",
+    "Save paste": "Salva il messagio"
-    "Your IP is not authorized to create pastes.": "Il tuo IP non è autorizzato a creare dei messaggi."
 }

i18n/ja.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/jbo.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": ".i lo lo notci ku mifra cu zvati sivlolnitvanku'a",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "rejgau fukpi",
+    "Save paste": "rejgau fukpi"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/ku.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/la.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/lt.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Šifruoti užrašai ties PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Norėdami matyti užrašus, aplankykite šį tinklalapį. Pasidalinus šiuo URL adresu su kitais žmonėmis, jiems taip pat bus leidžiama prieiga prie šių užrašų.",
     "URL shortener may expose your decrypt key in URL.": "URL trumpinimo įrankis gali atskleisti URL adrese jūsų iššifravimo raktą.",
-    "Save paste": "Įrašyti įdėjimą",
+    "Save paste": "Įrašyti įdėjimą"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/nl.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/no.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Kryptert notat på PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Besøk denne lenken for å se notatet. Hvis lenken deles med andre, vil de også kunne se notatet.",
     "URL shortener may expose your decrypt key in URL.": "URL forkorter kan avsløre dekrypteringsnøkkelen.",
-    "Save paste": "Lagre utklipp",
+    "Save paste": "Lagre utklipp"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/oc.json

@@ -37,76 +37,76 @@
     "%d seconds": [
         "%d segonda",
         "%d segondas",
-        "%d segondas",
+        "%d seconds (2nd plural)",
-        "%d segondas"
+        "%d seconds (3rd plural)"
     ],
     "%d minutes": [
         "%d minuta",
         "%d minutas",
-        "%d minutas",
+        "%d minutes (2nd plural)",
-        "%d minutas"
+        "%d minutes (3rd plural)"
     ],
     "%d hours": [
         "%d ora",
         "%d oras",
-        "%d oras",
+        "%d hours (2nd plural)",
-        "%d oras"
+        "%d hours (3rd plural)"
     ],
     "%d days": [
         "%d jorn",
         "%d jorns",
-        "%d jorns",
+        "%d days (2nd plural)",
-        "%d jorns"
+        "%d days (3rd plural)"
     ],
     "%d weeks": [
         "%d setmana",
         "%d setmanas",
-        "%d setmanas",
+        "%d weeks (2nd plural)",
-        "%d setmanas"
+        "%d weeks (3rd plural)"
     ],
     "%d months": [
         "%d mes",
         "%d meses",
-        "%d meses",
+        "%d months (2nd plural)",
-        "%d meses"
+        "%d months (3rd plural)"
     ],
     "%d years": [
         "%d an",
         "%d ans",
-        "%d ans",
+        "%d years (2nd plural)",
-        "%d ans"
+        "%d years (3rd plural)"
     ],
     "Never": "Jamai",
     "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Nota : Aquò es un servici d’espròva : las donadas pòdon èsser suprimidas a cada moment. De catons moriràn s’abusatz d’aqueste servici.",
     "This document will expire in %d seconds.": [
-        "Aqueste document expirarà d’aquí %d segonda.",
+        "Ce document expirera dans %d seconde.",
-        "Aqueste document expirarà d’aquí %d segondas.",
+        "Aqueste document expirarà dins %d segondas.",
-        "Aqueste document expirarà d’aquí %d segondas.",
+        "Aqueste document expirarà dins %d segondas.",
-        "Aqueste document expirarà d’aquí %d segondas."
+        "Aqueste document expirarà dins %d segondas."
     ],
     "This document will expire in %d minutes.": [
-        "Aqueste document expirarà d’aquí %d minuta.",
+        "Ce document expirera dans %d minute.",
-        "Aqueste document expirarà d’aquí %d minutas.",
+        "Aqueste document expirarà dins %d minutas.",
-        "Aqueste document expirarà d’aquí %d minutas.",
+        "Aqueste document expirarà dins %d minutas.",
-        "Aqueste document expirarà d’aquí %d minutas."
+        "Aqueste document expirarà dins %d minutas."
     ],
     "This document will expire in %d hours.": [
-        "Aqueste document expirarà d’aquí %d ora.",
+        "Ce document expirera dans %d heure.",
-        "Aqueste document expirarà d’aquí %d oras.",
+        "Aqueste document expirarà dins %d oras.",
-        "Aqueste document expirarà d’aquí %d oras.",
+        "Aqueste document expirarà dins %d oras.",
-        "Aqueste document expirarà d’aquí %d oras."
+        "Aqueste document expirarà dins %d oras."
     ],
     "This document will expire in %d days.": [
-        "Aqueste document expirarà d’aquí %d jorn.",
+        "Ce document expirera dans %d jour.",
-        "Aqueste document expirarà d’aquí %d jorns.",
+        "Aqueste document expirarà dins %d jorns.",
-        "Aqueste document expirarà d’aquí %d jorns.",
+        "Aqueste document expirarà dins %d jorns.",
-        "Aqueste document expirarà d’aquí %d jorns."
+        "Aqueste document expirarà dins %d jorns."
     ],
     "This document will expire in %d months.": [
-        "Aqueste document expirarà d’aquí %d mes.",
+        "Ce document expirera dans %d mois.",
-        "Aqueste document expirarà d’aquí %d meses.",
+        "Aqueste document expirarà dins %d meses.",
-        "Aqueste document expirarà d’aquí %d meses.",
+        "Aqueste document expirarà dins %d meses.",
-        "Aqueste document expirarà d’aquí %d meses."
+        "Aqueste document expirarà dins %d meses."
     ],
     "Please enter the password for this paste:": "Picatz lo senhal per aqueste tèxte :",
     "Could not decrypt data (Wrong key?)": "Impossible de deschifrar las donadas (marrida clau ?)",
@@ -156,7 +156,7 @@
     "Shorten URL": "Acorchir l’URL",
     "Editor": "Editar",
     "Preview": "Previsualizar",
-    "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.": "%s demanda que lo PATH termine en « %s ». Mercés de metre a jorn lo PATH dins vòstre index.php.",
+    "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.": "%s demanda que lo PATH termine en \"%s\". Mercés de metre a jorn lo PATH dins vòstre index.php.",
     "Decrypt": "Deschifrar",
     "Enter password": "Picatz lo senhal",
     "Loading…": "Cargament…",
@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Nòtas chifradas sus PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visitatz aqueste ligam per veire la nòta. Fornir lo ligam a qualqu’un mai li permet tanben d’accedir a la nòta.",
     "URL shortener may expose your decrypt key in URL.": "Los espleches d’acorchiment d’URL pòdon expausar la clau de deschiframent dins l’URL.",
-    "Save paste": "Enregistrar lo tèxt",
+    "Save paste": "Enregistrar lo tèxt"
-    "Your IP is not authorized to create pastes.": "Vòstra adreça IP a pas l’autorizacion de crear de tèxtes."
 }

i18n/pl.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/pt.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Nota criptografada no PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visite esse link para ver a nota. Dar a URL para qualquer um permite que eles também acessem a nota.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/ru.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Зашифрованная запись на PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Посетите эту ссылку чтобы просмотреть запись. Передача ссылки кому либо позволит им получить доступ к записи тоже.",
     "URL shortener may expose your decrypt key in URL.": "Сервис сокращения ссылок может получить ваш ключ расшифровки из ссылки.",
-    "Save paste": "Сохранить запись",
+    "Save paste": "Сохранить запись"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/sl.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/sv.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/tr.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/uk.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste",
+    "Save paste": "Save paste"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/zh.json

@@ -185,6 +185,5 @@
     "Encrypted note on PrivateBin": "PrivateBin 上的加密笔记",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "访问此链接来查看该笔记。将此 URL 发送给任何人即可允许其访问该笔记。",
     "URL shortener may expose your decrypt key in URL.": "短链接服务可能会暴露您在 URL 中的解密密钥。",
-    "Save paste": "保存内容",
+    "Save paste": "保存内容"
-    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

index.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 // change this, if your php files and data is outside of your webservers document root

js/common.js

@@ -12,15 +12,15 @@ global.WebCrypto = require('@peculiar/webcrypto').Crypto;
 // application libraries to test
 global.$ = global.jQuery = require('./jquery-3.6.0');
 global.RawDeflate = require('./rawinflate-0.3').RawDeflate;
-global.zlib = require('./zlib-1.2.12').zlib;
+global.zlib = require('./zlib-1.2.11').zlib;
 require('./prettify');
 global.prettyPrint = window.PR.prettyPrint;
 global.prettyPrintOne = window.PR.prettyPrintOne;
-global.showdown = require('./showdown-2.0.3');
+global.showdown = require('./showdown-2.0.0');
 global.DOMPurify = require('./purify-2.3.6');
 global.baseX = require('./base-x-4.0.0').baseX;
 global.Legacy = require('./legacy').Legacy;
-require('./bootstrap-3.4.1');
+require('./bootstrap-3.3.7');
 require('./privatebin');
 
 // internal variables
@@ -131,3 +131,4 @@ exports.jscMimeTypes = function() {
 exports.jscFormats = function() {
     return jsc.elements(formats);
 };
+

js/package.json

@@ -1,6 +1,6 @@
 {
   "name": "privatebin",
-  "version": "1.4.0",
+  "version": "1.3.5",
   "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode (GCM).",
   "main": "privatebin.js",
   "directories": {

js/privatebin.js

@@ -6,7 +6,7 @@
  * @see       {@link https://github.com/PrivateBin/PrivateBin}
  * @copyright 2012 Sébastien SAUVAGE ({@link http://sebsauvage.net})
  * @license   {@link https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License}
- * @version   1.4.0
+ * @version   1.3.5
  * @name      PrivateBin
  * @namespace
  */
@@ -52,31 +52,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
      */
     let z;
 
-    /**
-     * DOMpurify settings for HTML content
-     *
-     * @private
-     */
-     const purifyHtmlConfig = {
-        ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|magnet):)/i,
-        SAFE_FOR_JQUERY: true,
-        USE_PROFILES: {
-            html: true
-        }
-    };
-
-    /**
-     * DOMpurify settings for SVG content
-     *
-     * @private
-     */
-     const purifySvgConfig = {
-        USE_PROFILES: {
-            svg: true,
-            svgFilters: true
-        }
-    };
-
     /**
      * CryptoData class
      *
@@ -434,8 +409,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                     element.html().replace(
                         /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
                         '<a href="$1" rel="nofollow noopener noreferrer">$1</a>'
-                    ),
+                    )
-                    purifyHtmlConfig
                 )
             );
         };
@@ -627,7 +601,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          * @prop   {string[]}
          * @readonly
          */
-        const supportedLanguages = ['bg', 'ca', 'co', 'cs', 'de', 'es', 'et', 'fi', 'fr', 'he', 'hu', 'id', 'it', 'jbo', 'lt', 'no', 'nl', 'pl', 'pt', 'oc', 'ru', 'sl', 'uk', 'zh'];
+        const supportedLanguages = ['bg', 'ca', 'cs', 'de', 'es', 'et', 'fr', 'he', 'hu', 'id', 'it', 'jbo', 'lt', 'no', 'nl', 'pl', 'pt', 'oc', 'ru', 'sl', 'uk', 'zh'];
 
         /**
          * built in language
@@ -793,7 +767,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         /**
          * per language functions to use to determine the plural form
          *
-         * @see    {@link https://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html}
+         * @see    {@link https://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html}
          * @name   I18n.getPluralForm
          * @function
          * @param  {int} n
@@ -804,7 +778,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             {
                 case 'cs':
                     return n === 1 ? 0 : (n >= 2 && n <=4 ? 1 : 2);
-                case 'co':
                 case 'fr':
                 case 'oc':
                 case 'zh':
@@ -823,7 +796,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                     return n % 10 === 1 && n % 100 !== 11 ? 0 : (n % 10 >= 2 && n % 10 <= 4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2);
                 case 'sl':
                     return n % 100 === 1 ? 1 : (n % 100 === 2 ? 2 : (n % 100 === 3 || n % 100 === 4 ? 3 : 0));
-                // bg, ca, de, en, es, et, fi, hu, it, nl, no, pt
+                // bg, ca, de, en, es, et, hu, it, nl, no, pt
                 default:
                     return n !== 1 ? 1 : 0;
             }
@@ -2562,8 +2535,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 // let showdown convert the HTML and sanitize HTML *afterwards*!
                 $plainText.html(
                     DOMPurify.sanitize(
-                        converter.makeHtml(text),
+                        converter.makeHtml(text)
-                        purifyHtmlConfig
                     )
                 );
                 // add table classes from bootstrap css
@@ -2779,34 +2751,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $dropzone;
 
         /**
-         * get blob URL from string data and mime type
-         *
-         * @name   AttachmentViewer.getBlobUrl
-         * @private
-         * @function
-         * @param {string} data - raw data of attachment
-         * @param {string} data - mime type of attachment
-         * @return {string} objectURL
-         */
-         function getBlobUrl(data, mimeType)
-         {
-            // Transform into a Blob
-            const buf = new Uint8Array(data.length);
-            for (let i = 0; i < data.length; ++i) {
-                buf[i] = data.charCodeAt(i);
-            }
-            const blob = new window.Blob(
-                [buf],
-                {
-                    type: mimeType
-                }
-            );
-
-            // Get blob URL
-            return window.URL.createObjectURL(blob);
-         }
-
-         /**
          * sets the attachment but does not yet show it
          *
          * @name   AttachmentViewer.setAttachment
@@ -2816,42 +2760,44 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.setAttachment = function(attachmentData, fileName)
         {
-            // skip, if attachments got disabled
+            // data URI format: data:[<mediaType>][;base64],<data>
-            if (!$attachmentLink || !$attachmentPreview) return;
-
-            // data URI format: data:[<mimeType>][;base64],<data>
 
             // position in data URI string of where data begins
             const base64Start = attachmentData.indexOf(',') + 1;
-            // position in data URI string of where mimeType ends
+            // position in data URI string of where mediaType ends
-            const mimeTypeEnd = attachmentData.indexOf(';');
+            const mediaTypeEnd = attachmentData.indexOf(';');
 
-            // extract mimeType
+            // extract mediaType
-            const mimeType = attachmentData.substring(5, mimeTypeEnd);
+            const mediaType = attachmentData.substring(5, mediaTypeEnd);
             // extract data and convert to binary
             const rawData = attachmentData.substring(base64Start);
             const decodedData = rawData.length > 0 ? atob(rawData) : '';
 
-            let blobUrl = getBlobUrl(decodedData, mimeType);
+            // Transform into a Blob
-            $attachmentLink.attr('href', blobUrl);
+            const buf = new Uint8Array(decodedData.length);
+            for (let i = 0; i < decodedData.length; ++i) {
+                buf[i] = decodedData.charCodeAt(i);
+            }
+            const blob = new window.Blob([ buf ], { type: mediaType });
+
+            // Get Blob URL
+            const blobUrl = window.URL.createObjectURL(blob);
+
+            // IE does not support setting a data URI on an a element
+            // Using msSaveBlob to download
+            if (window.Blob && navigator.msSaveBlob) {
+                $attachmentLink.off('click').on('click', function () {
+                    navigator.msSaveBlob(blob, fileName);
+                });
+            } else {
+                $attachmentLink.attr('href', blobUrl);
+            }
 
             if (typeof fileName !== 'undefined') {
                 $attachmentLink.attr('download', fileName);
             }
 
-            // sanitize SVG preview
+            me.handleBlobAttachmentPreview($attachmentPreview, blobUrl, mediaType);
-            // prevents executing embedded scripts when CSP is not set and user
-            // right-clicks/long-taps and opens the SVG in a new tab - prevented
-            // in the preview by use of an img tag, which disables scripts, too
-            if (mimeType.match(/^image\/.*svg/i)) {
-                const sanitizedData = DOMPurify.sanitize(
-                    decodedData,
-                    purifySvgConfig
-                );
-                blobUrl = getBlobUrl(sanitizedData, mimeType);
-            }
-
-            me.handleBlobAttachmentPreview($attachmentPreview, blobUrl, mimeType);
         };
 
         /**
@@ -2862,9 +2808,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.showAttachment = function()
         {
-            // skip, if attachments got disabled
-            if (!$attachment || !$attachmentPreview) return;
-
             $attachment.removeClass('hidden');
 
             if (attachmentHasPreview) {
@@ -3072,13 +3015,13 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         me.handleBlobAttachmentPreview = function ($targetElement, blobUrl, mimeType) {
             if (blobUrl) {
                 attachmentHasPreview = true;
-                if (mimeType.match(/^image\//i)) {
+                if (mimeType.match(/image\//i)) {
                     $targetElement.html(
                         $(document.createElement('img'))
                             .attr('src', blobUrl)
                             .attr('class', 'img-thumbnail')
                     );
-                } else if (mimeType.match(/^video\//i)) {
+                } else if (mimeType.match(/video\//i)) {
                     $targetElement.html(
                         $(document.createElement('video'))
                             .attr('controls', 'true')
@@ -3089,7 +3032,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                             .attr('type', mimeType)
                             .attr('src', blobUrl))
                     );
-                } else if (mimeType.match(/^audio\//i)) {
+                } else if (mimeType.match(/audio\//i)) {
                     $targetElement.html(
                         $(document.createElement('audio'))
                             .attr('controls', 'true')
@@ -3721,14 +3664,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             for (let i = 0; i < $head.length; ++i) {
                 newDoc.write($head[i].outerHTML);
             }
-            newDoc.write(
+            newDoc.write('</head><body><pre>' + DOMPurify.sanitize(Helper.htmlEntities(paste)) + '</pre></body></html>');
-                '</head><body><pre>' +
-                DOMPurify.sanitize(
-                    Helper.htmlEntities(paste),
-                    purifyHtmlConfig
-                ) +
-                '</pre></body></html>'
-            );
             newDoc.close();
         }
 
@@ -5457,6 +5393,11 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             // first load translations
             I18n.loadTranslations();
 
+            DOMPurify.setConfig({
+                ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|magnet):)/i,
+                SAFE_FOR_JQUERY: true
+            });
+
             // Add a hook to make all links open a new window
             DOMPurify.addHook('afterSanitizeAttributes', function(node) {
                 // set all elements owning target to target=_blank

js/test/DiscussionViewer.js

@@ -110,3 +110,4 @@ describe('DiscussionViewer', function () {
         );
     });
 });
+

js/test/Editor.js

@@ -52,12 +52,12 @@ describe('Editor', function () {
                     !$.PrivateBin.Editor.isPreview() &&
                     !$('#message').hasClass('hidden')
                 );
-                $('#messagepreview').trigger('click');
+                $('#messagepreview').click();
                 results.push(
                     $.PrivateBin.Editor.isPreview() &&
                     $('#message').hasClass('hidden')
                 );
-                $('#messageedit').trigger('click');
+                $('#messageedit').click();
                 results.push(
                     !$.PrivateBin.Editor.isPreview() &&
                     !$('#message').hasClass('hidden')
@@ -68,3 +68,4 @@ describe('Editor', function () {
         );
     });
 });
+

js/test/TopNav.js

@@ -280,8 +280,7 @@ describe('TopNav', function () {
         it(
             'collapses the navigation when displayed on a small screen',
             function () {
-                var clean = jsdom(),
+                var results = [];
-                    results = [];
                 $('body').html(
                     '<nav><div class="navbar-header"><button type="button" ' +
                     'class="navbar-toggle collapsed" data-toggle="collapse" ' +
@@ -302,11 +301,7 @@ describe('TopNav', function () {
                     $('.navbar-toggle').hasClass('collapsed') &&
                     $('#navbar').attr('aria-expanded') != 'true'
                 );
-                /*
+                $('.navbar-toggle').click();
-                with the upgrade for bootstrap-3.3.7.js to bootstrap-3.4.1.js
-                the mobile interface detection changed to check if the
-                ontouchstart event exists, which broke this section of the test
-                $('.navbar-toggle').trigger('click');
                 results.push(
                     !$('.navbar-toggle').hasClass('collapsed') &&
                     $('#navbar').attr('aria-expanded') == 'true'
@@ -316,8 +311,7 @@ describe('TopNav', function () {
                     $('.navbar-toggle').hasClass('collapsed') &&
                     $('#navbar').attr('aria-expanded') == 'false'
                 );
-                */
+                cleanup();
-                clean();
                 assert.ok(results.every(element => element));
             }
         );
@@ -676,3 +670,4 @@ describe('TopNav', function () {
         );
     });
 });
+

js/zlib-1.2.11.js

@@ -26,9 +26,9 @@
 
         let buff;
         if (typeof fetch === 'undefined') {
-            buff = fs.readFileSync('zlib-1.2.12.wasm');
+            buff = fs.readFileSync('zlib-1.2.11.wasm');
         } else {
-            const resp = await fetch('js/zlib-1.2.12.wasm');
+            const resp = await fetch('js/zlib-1.2.11.wasm');
             buff = await resp.arrayBuffer();
         }
         const module = await WebAssembly.compile(buff);

lib/Configuration.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;
@@ -54,7 +54,7 @@ class Configuration
             'urlshortener'             => '',
             'qrcode'                   => true,
             'icon'                     => 'identicon',
-            'cspheader'                => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\'; style-src \'self\'; font-src \'self\'; frame-ancestors \'none\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
+            'cspheader'                => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; frame-ancestors \'none\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
             'zerobincompatibility'     => false,
             'httpwarning'              => true,
             'compression'              => 'zlib',
@@ -78,10 +78,9 @@ class Configuration
             'markdown'           => 'Markdown',
         ),
         'traffic' => array(
-            'limit'     => 10,
+            'limit'      => 10,
-            'header'    => '',
+            'header'     => null,
-            'exempted'  => '',
+            'exemptedIp' => null,
-            'creators'  => '',
         ),
         'purge' => array(
             'limit'     => 300,

lib/Controller.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;
@@ -28,7 +28,7 @@ class Controller
      *
      * @const string
      */
-    const VERSION = '1.4.0';
+    const VERSION = '1.3.5';
 
     /**
      * minimal required PHP version
@@ -199,10 +199,13 @@ class Controller
         ServerSalt::setStore($this->_model->getStore());
         TrafficLimiter::setConfiguration($this->_conf);
         TrafficLimiter::setStore($this->_model->getStore());
-        try {
+        if (!TrafficLimiter::canPass()) {
-            TrafficLimiter::canPass();
+            $this->_return_message(
-        } catch (Exception $e) {
+                1, I18n::_(
-            $this->_return_message(1, $e->getMessage());
+                    'Please wait %d seconds between each post.',
+                    $this->_conf->getKey('limit', 'traffic')
+                )
+            );
             return;
         }
 
@@ -364,16 +367,6 @@ class Controller
             setcookie('lang', $languageselection, 0, '', '', true);
         }
 
-        // strip policies that are unsupported in meta tag
-        $metacspheader = str_replace(
-            array(
-                'frame-ancestors \'none\'; ',
-                '; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
-            ),
-            '',
-            $this->_conf->getKey('cspheader')
-        );
-
         $page = new View;
         $page->assign('NAME', $this->_conf->getKey('name'));
         $page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
@@ -402,7 +395,6 @@ class Controller
         $page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
         $page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
         $page->assign('COMPRESSION', $this->_conf->getKey('compression'));
-        $page->assign('CSPHEADER', $metacspheader);
         $page->draw($this->_conf->getKey('template'));
     }
 

lib/Data/AbstractData.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Data;

lib/Data/Database.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Data;

lib/Data/Filesystem.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Data;

lib/Filter.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;

lib/FormatV2.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;

lib/I18n.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;
@@ -305,7 +305,7 @@ class I18n
     /**
      * determines the plural form to use based on current language and given number
      *
-     * From: https://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html
+     * From: https://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
      *
      * @access protected
      * @static
@@ -317,7 +317,6 @@ class I18n
         switch (self::$_language) {
             case 'cs':
                 return $n == 1 ? 0 : ($n >= 2 && $n <= 4 ? 1 : 2);
-            case 'co':
             case 'fr':
             case 'oc':
             case 'zh':
@@ -336,7 +335,7 @@ class I18n
                 return $n % 10 == 1 && $n % 100 != 11 ? 0 : ($n % 10 >= 2 && $n % 10 <= 4 && ($n % 100 < 10 || $n % 100 >= 20) ? 1 : 2);
             case 'sl':
                 return $n % 100 == 1 ? 1 : ($n % 100 == 2 ? 2 : ($n % 100 == 3 || $n % 100 == 4 ? 3 : 0));
-            // bg, ca, de, en, es, et, fi, hu, it, nl, no, pt
+            // bg, ca, de, en, es, et, hu, it, nl, no, pt
             default:
                 return $n != 1 ? 1 : 0;
         }

lib/Json.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;

lib/Model.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;

lib/Model/AbstractModel.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Model;

lib/Model/Comment.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Model;

lib/Model/Paste.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Model;

lib/Persistence/AbstractPersistence.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/PurgeLimiter.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/ServerSalt.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/TrafficLimiter.php

@@ -8,16 +8,13 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin\Persistence;
 
-use Exception;
 use IPLib\Factory;
-use IPLib\ParseStringFlag;
 use PrivateBin\Configuration;
-use PrivateBin\I18n;
 
 /**
  * TrafficLimiter
@@ -27,22 +24,22 @@ use PrivateBin\I18n;
 class TrafficLimiter extends AbstractPersistence
 {
     /**
-     * listed IPs are the only ones allowed to create, defaults to null
+     * time limit in seconds, defaults to 10s
      *
      * @access private
      * @static
-     * @var    string|null
+     * @var    int
      */
-    private static $_creators = null;
+    private static $_limit = 10;
 
     /**
-     * listed IPs are exempted from limits, defaults to null
+     * listed ips are exempted from limits, defaults to null
      *
      * @access private
      * @static
      * @var    string|null
      */
-    private static $_exempted = null;
+    private static $_exemptedIp = null;
 
     /**
      * key to fetch IP address
@@ -54,13 +51,28 @@ class TrafficLimiter extends AbstractPersistence
     private static $_ipKey = 'REMOTE_ADDR';
 
     /**
-     * time limit in seconds, defaults to 10s
+     * set the time limit in seconds
      *
-     * @access private
+     * @access public
      * @static
-     * @var    int
+     * @param  int $limit
      */
-    private static $_limit = 10;
+    public static function setLimit($limit)
+    {
+        self::$_limit = $limit;
+    }
+
+    /**
+     * set a list of ip(ranges) as string
+     *
+     * @access public
+     * @static
+     * @param string $exemptedIps
+     */
+    public static function setExemptedIp($exemptedIp)
+    {
+        self::$_exemptedIp = $exemptedIp;
+    }
 
     /**
      * set configuration options of the traffic limiter
@@ -71,11 +83,10 @@ class TrafficLimiter extends AbstractPersistence
      */
     public static function setConfiguration(Configuration $conf)
     {
-        self::setCreators($conf->getKey('creators', 'traffic'));
-        self::setExempted($conf->getKey('exempted', 'traffic'));
         self::setLimit($conf->getKey('limit', 'traffic'));
+        self::setExemptedIp($conf->getKey('exemptedIp', 'traffic'));
 
-        if (($option = $conf->getKey('header', 'traffic')) !== '') {
+        if (($option = $conf->getKey('header', 'traffic')) !== null) {
             $httpHeader = 'HTTP_' . $option;
             if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) {
                 self::$_ipKey = $httpHeader;
@@ -83,42 +94,6 @@ class TrafficLimiter extends AbstractPersistence
         }
     }
 
-    /**
-     * set a list of creator IP(-ranges) as string
-     *
-     * @access public
-     * @static
-     * @param string $creators
-     */
-    public static function setCreators($creators)
-    {
-        self::$_creators = $creators;
-    }
-
-    /**
-     * set a list of exempted IP(-ranges) as string
-     *
-     * @access public
-     * @static
-     * @param string $exempted
-     */
-    public static function setExempted($exempted)
-    {
-        self::$_exempted = $exempted;
-    }
-
-    /**
-     * set the time limit in seconds
-     *
-     * @access public
-     * @static
-     * @param  int $limit
-     */
-    public static function setLimit($limit)
-    {
-        self::$_limit = $limit;
-    }
-
     /**
      * get a HMAC of the current visitors IP address
      *
@@ -133,7 +108,7 @@ class TrafficLimiter extends AbstractPersistence
     }
 
     /**
-     * validate $_ipKey against configured ipranges. If matched we will ignore the ip
+     * Validate $_ipKey against configured ipranges. If matched we will ignore the ip
      *
      * @access private
      * @static
@@ -145,11 +120,8 @@ class TrafficLimiter extends AbstractPersistence
         if (is_string($ipRange)) {
             $ipRange = trim($ipRange);
         }
-        $address = Factory::parseAddressString($_SERVER[self::$_ipKey]);
+        $address = Factory::addressFromString($_SERVER[self::$_ipKey]);
-        $range   = Factory::parseRangeString(
+        $range   = Factory::rangeFromString($ipRange);
-            $ipRange,
-            ParseStringFlag::IPV4_MAYBE_NON_DECIMAL | ParseStringFlag::IPV4SUBNET_MAYBE_COMPACT | ParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED
-        );
 
         // address could not be parsed, we might not be in IP space and try a string comparison instead
         if (is_null($address)) {
@@ -164,35 +136,24 @@ class TrafficLimiter extends AbstractPersistence
     }
 
     /**
-     * make sure the IP address is allowed to perfom a request
+     * traffic limiter
+     *
+     * Make sure the IP address makes at most 1 request every 10 seconds.
      *
      * @access public
      * @static
-     * @throws Exception
+     * @return bool
-     * @return true
      */
     public static function canPass()
     {
-        // if creators are defined, the traffic limiter will only allow creation
-        // for these, with no limits, and skip any other rules
-        if (!empty(self::$_creators)) {
-            $creatorIps = explode(',', self::$_creators);
-            foreach ($creatorIps as $ipRange) {
-                if (self::matchIp($ipRange) === true) {
-                    return true;
-                }
-            }
-            throw new Exception(I18n::_('Your IP is not authorized to create pastes.'));
-        }
-
         // disable limits if set to less then 1
         if (self::$_limit < 1) {
             return true;
         }
 
-        // check if $_ipKey is exempted from ratelimiting
+        // Check if $_ipKey is exempted from ratelimiting
-        if (!empty(self::$_exempted)) {
+        if (!is_null(self::$_exemptedIp)) {
-            $exIp_array = explode(',', self::$_exempted);
+            $exIp_array = explode(',', self::$_exemptedIp);
             foreach ($exIp_array as $ipRange) {
                 if (self::matchIp($ipRange) === true) {
                     return true;
@@ -200,7 +161,7 @@ class TrafficLimiter extends AbstractPersistence
             }
         }
 
-        // used as array key, which are limited in length, hence using algo with shorter range
+        // this hash is used as an array key, hence a shorter algo is used
         $hash = self::getHash('sha256');
         $now  = time();
         $tl   = (int) self::$_store->getValue('traffic_limiter', $hash);
@@ -214,12 +175,6 @@ class TrafficLimiter extends AbstractPersistence
         if (!self::$_store->setValue((string) $tl, 'traffic_limiter', $hash)) {
             error_log('failed to store the traffic limiter, it probably contains outdated information');
         }
-        if ($result) {
+        return $result;
-            return true;
-        }
-        throw new Exception(I18n::_(
-            'Please wait %d seconds between each post.',
-            self::$_limit
-        ));
     }
 }

lib/Request.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;

lib/View.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.4.0
+ * @version   1.3.5
  */
 
 namespace PrivateBin;

lib/Vizhash16x16.php

@@ -8,7 +8,7 @@
  * @link      http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   0.0.5 beta PrivateBin 1.4.0
+ * @version   0.0.5 beta PrivateBin 1.3.5
  */
 
 namespace PrivateBin;

tpl/bootstrap.php

@@ -7,7 +7,6 @@ $isPage = substr($template, -5) === '-page';
 <html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
-		<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
@@ -55,10 +54,10 @@ if ($ZEROBINCOMPATIBILITY) :
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.12.js" integrity="sha512-Ewve1dyEW/Vf97OY91/aWqMx9NaaUK5d8Z6JB1RR5gFXtMhse/Ya7D/5CE/UrQTwOWqmkvn97JjP4YDUrmq/yA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/base-x-4.0.0.js" integrity="sha512-nNPg5IGCwwrveZ8cA/yMGr5HiRS5Ps2H+s0J/mKTPjCPWUgFGGw7M5nqdnPD3VsRwCVysUh3Y8OWjeSKGkEQJQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/bootstrap-3.4.1.js" integrity="sha512-oBTprMeNEKCnqfuqKd6sbvFzmFQtlXS3e0C/RGFV0hD6QzhHV+ODfaQbAlmY6/q0ubbwlAM/nCJjkrgA3waLzg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/bootstrap-3.3.7.js" integrity="sha512-iztkobsvnjKfAtTNdHkGVjAYTrrtlC7mGp/54c40wowO7LhURYl3gVzzcEqGl/qKXQltJ2HwMrdLcNUdo+N/RQ==" crossorigin="anonymous"></script>
 <?php
 if ($SYNTAXHIGHLIGHTING) :
 ?>
@@ -67,13 +66,13 @@ if ($SYNTAXHIGHLIGHTING) :
 endif;
 if ($MARKDOWN) :
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.3.js" integrity="sha512-vcfjvW3UKHD/4vlQx804cqWK88jFmjsWRsZ8/u5YEcyHB1IituxrXDU7TvdqsFVsMnxpE/UIEo25/SYW+puWHw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.0.js" integrity="sha512-UB9jpMTOJLSnVzePuqlSGT34G70wEGqtIWabMeAh+Drnj4/uQ8rFkFn1zkN9vkWp/7nA51U2LmP23H5MJvBXsw==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/F0+9bIbFUC8mKQzrcAjIs2Jg92w1DMcczT2Y/KqHVkFEXH1ZSrqtUX7QjLH6RgVR0YhTxhmWkZ2c8scGCwpkQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PTOcxIWIPWCnb5vC4fmQDMqYGerwsu3AndVyPxn9NlQffIWYMPf/p28Z9SIygXsmcYjmTRmUiW5y7df63mNTfg==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" />

tpl/page.php

@@ -4,7 +4,6 @@ use PrivateBin\I18n;
 <html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
-		<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
 		<meta name="robots" content="noindex" />
 		<meta name="google" content="notranslate">
 		<title><?php echo I18n::_($NAME); ?></title>
@@ -34,7 +33,7 @@ if ($ZEROBINCOMPATIBILITY):
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.12.js" integrity="sha512-Ewve1dyEW/Vf97OY91/aWqMx9NaaUK5d8Z6JB1RR5gFXtMhse/Ya7D/5CE/UrQTwOWqmkvn97JjP4YDUrmq/yA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/base-x-4.0.0.js" integrity="sha512-nNPg5IGCwwrveZ8cA/yMGr5HiRS5Ps2H+s0J/mKTPjCPWUgFGGw7M5nqdnPD3VsRwCVysUh3Y8OWjeSKGkEQJQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
 <?php
@@ -45,13 +44,13 @@ if ($SYNTAXHIGHLIGHTING):
 endif;
 if ($MARKDOWN):
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.3.js" integrity="sha512-vcfjvW3UKHD/4vlQx804cqWK88jFmjsWRsZ8/u5YEcyHB1IituxrXDU7TvdqsFVsMnxpE/UIEo25/SYW+puWHw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.0.js" integrity="sha512-UB9jpMTOJLSnVzePuqlSGT34G70wEGqtIWabMeAh+Drnj4/uQ8rFkFn1zkN9vkWp/7nA51U2LmP23H5MJvBXsw==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/F0+9bIbFUC8mKQzrcAjIs2Jg92w1DMcczT2Y/KqHVkFEXH1ZSrqtUX7QjLH6RgVR0YhTxhmWkZ2c8scGCwpkQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PTOcxIWIPWCnb5vC4fmQDMqYGerwsu3AndVyPxn9NlQffIWYMPf/p28Z9SIygXsmcYjmTRmUiW5y7df63mNTfg==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />

tst/Persistence/TrafficLimiterTest.php

@@ -38,74 +38,27 @@ class TrafficLimiterTest extends PHPUnit_Framework_TestCase
         $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
         $this->assertTrue(TrafficLimiter::canPass(), 'first request may pass');
         sleep(1);
-        try {
+        $this->assertFalse(TrafficLimiter::canPass(), 'second request is to fast, may not pass');
-            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
-        } catch (Exception $e) {
-            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'second request is to fast, may not pass');
-        }
         sleep(4);
         $this->assertTrue(TrafficLimiter::canPass(), 'third request waited long enough and may pass');
         $_SERVER['REMOTE_ADDR'] = '2001:1620:2057:dead:beef::cafe:babe';
         $this->assertTrue(TrafficLimiter::canPass(), 'fourth request has different ip and may pass');
         $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
-        try {
+        $this->assertFalse(TrafficLimiter::canPass(), 'fifth request is to fast, may not pass');
-            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
-        } catch (Exception $e) {
-            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'fifth request is to fast, may not pass');
-        }
-    }
 
-    public function testTrafficLimitExempted()
+        // exempted IPs configuration
-    {
+        TrafficLimiter::setExemptedIp('1.2.3.4,10.10.10.0/24,2001:1620:2057::/48');
-        TrafficLimiter::setExempted('1.2.3.4,10.10.10/24,2001:1620:2057::/48');
+        $this->assertFalse(TrafficLimiter::canPass(), 'still too fast and not exempted');
-        $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
-        $this->assertTrue(TrafficLimiter::canPass(), 'first request may pass');
-        try {
-            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
-        } catch (Exception $e) {
-            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'not exempted');
-        }
         $_SERVER['REMOTE_ADDR'] = '10.10.10.10';
         $this->assertTrue(TrafficLimiter::canPass(), 'IPv4 in exempted range');
         $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but IPv4 in exempted range');
         $_SERVER['REMOTE_ADDR'] = '2001:1620:2057:dead:beef::cafe:babe';
         $this->assertTrue(TrafficLimiter::canPass(), 'IPv6 in exempted range');
         $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but IPv6 in exempted range');
-        TrafficLimiter::setExempted('127.*,foobar');
+        TrafficLimiter::setExemptedIp('127.*,foobar');
-        $this->assertTrue(TrafficLimiter::canPass(), 'first cached request may pass');
+        $this->assertFalse(TrafficLimiter::canPass(), 'request is to fast, invalid range');
-        try {
-            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
-        } catch (Exception $e) {
-            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'request is too fast, invalid range');
-        }
         $_SERVER['REMOTE_ADDR'] = 'foobar';
         $this->assertTrue(TrafficLimiter::canPass(), 'non-IP address');
-        $this->assertTrue(TrafficLimiter::canPass(), 'request is too fast, but non-IP address matches exempted range');
+        $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but non-IP address matches exempted range');
-    }
-
-    public function testTrafficLimitCreators()
-    {
-        TrafficLimiter::setCreators('1.2.3.4,10.10.10/24,2001:1620:2057::/48');
-        $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
-        try {
-            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
-        } catch (Exception $e) {
-            $this->assertEquals($e->getMessage(), 'Your IP is not authorized to create pastes.', 'not a creator');
-        }
-        $_SERVER['REMOTE_ADDR'] = '10.10.10.10';
-        $this->assertTrue(TrafficLimiter::canPass(), 'IPv4 in creator range');
-        $this->assertTrue(TrafficLimiter::canPass(), 'request is too fast, but IPv4 in creator range');
-        $_SERVER['REMOTE_ADDR'] = '2001:1620:2057:dead:beef::cafe:babe';
-        $this->assertTrue(TrafficLimiter::canPass(), 'IPv6 in creator range');
-        $this->assertTrue(TrafficLimiter::canPass(), 'request is too fast, but IPv6 in creator range');
-        TrafficLimiter::setCreators('127.*,foobar');
-        try {
-            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
-        } catch (Exception $e) {
-            $this->assertEquals($e->getMessage(), 'Your IP is not authorized to create pastes.', 'request is to fast, not a creator');
-        }
-        $_SERVER['REMOTE_ADDR'] = 'foobar';
-        $this->assertTrue(TrafficLimiter::canPass(), 'non-IP address');
-        $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but non-IP address matches creator');
     }
 }

tst/ViewTest.php

@@ -60,7 +60,6 @@ class ViewTest extends PHPUnit_Framework_TestCase
         $page->assign('HTTPWARNING', true);
         $page->assign('HTTPSLINK', 'https://example.com/');
         $page->assign('COMPRESSION', 'zlib');
-        $page->assign('CSPHEADER', 'default-src \'none\'');
 
         $dir = dir(PATH . 'tpl');
         while (false !== ($file = $dir->read())) {