From daf5522b1ec164abde735f15cb8874f1027a9466 Mon Sep 17 00:00:00 2001
From: Sebastien SAUVAGE <sebsauvage@sebsauvage.net>
Date: Mon, 20 Jan 2014 21:06:31 +0100
Subject: [PATCH] Potentiel security bug corrected

Bug reproduction: 1) paste texte containing html/javascript. 2) send 3)
clic "Raw text"  4) refresh: The html/javascript is interpreted instead
of just displayed.
Under some versions of Chrome, it happens without refreshing.
This bug was corrected.

(cherry picked from commit 4f8750bbddcb137213529875e45e3ace3be9a769)
---
 js/zerobin.js | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/js/zerobin.js b/js/zerobin.js
index 4d5f64a..57bc6fb 100644
--- a/js/zerobin.js
+++ b/js/zerobin.js
@@ -439,10 +439,9 @@ function stateExistingPaste() {
   */
 function rawText()
 {
-    history.pushState(document.title, document.title, 'document.txt');
-    var paste = $('div#cleartext').text();
-    var newDoc = document.open('text/plain', 'replace');
-    newDoc.write(paste);
+    var paste = $('div#cleartext').html();
+    var newDoc = document.open('text/html', 'replace');
+    newDoc.write('<pre>'+paste+'</pre>');
     newDoc.close();
 }