From 7bf0ba4ddde4e0d21c4d9af0fad44e3abd49362c Mon Sep 17 00:00:00 2001 From: ksamuel Date: Wed, 12 Aug 2020 14:02:13 +0200 Subject: [PATCH 1/2] Remove image copy to clipboard --- zerobin/static/js/behavior.js | 34 +++------- zerobin/views/base.tpl | 1 - zerobin/views/faq.tpl | 124 ++++++++++++++++++---------------- zerobin/views/paste.tpl | 6 +- 4 files changed, 78 insertions(+), 87 deletions(-) diff --git a/zerobin/static/js/behavior.js b/zerobin/static/js/behavior.js index 1aa8b97..554eb6d 100644 --- a/zerobin/static/js/behavior.js +++ b/zerobin/static/js/behavior.js @@ -37,7 +37,8 @@ const app = new Vue({ isUploading: false, currentPaste: { ownerKey: '', - id: '' + id: '', + type: '', }, newPaste: { expiration: '1_day', @@ -48,11 +49,7 @@ const app = new Vue({ and add a class to the html tag with the result */ support: { - clipboard: (function () { - var val = !!(navigator.clipboard); - document.querySelector('html').classList.add((val ? '' : 'no-') + 'clipboard'); - return val; - })(), + clipboard: !!(isSecureContext && navigator.clipboard && navigator.clipboard.writeText), localStorage: (function () { var val = !!(localStorage); @@ -157,23 +154,7 @@ const app = new Vue({ copyToClipboard: () => { var pasteContent = zerobin.getPasteContent(); - let promise; - - if (pasteContent.indexOf("data:image") === 0) { - - promise = fetch(pasteContent).then((res) => { - return res.blob().then(blob => { - return navigator.clipboard.write([ - new ClipboardItem({ - [blob.type]: blob - }) - ]) - }) - }) - - } else { - promise = navigator.clipboard.writeText(pasteContent); - } + let promise = navigator.clipboard.writeText(pasteContent); promise.then(function () { zerobin.message('info', 'The paste is now in your clipboard', '', true); @@ -764,6 +745,7 @@ if (content && key) { if (content.indexOf('data:image') == 0) { // Display Image + app.currentPaste.type = "image"; let pasteContent = document.querySelector('#paste-content'); pasteContent.style.display = "none"; @@ -781,6 +763,8 @@ if (content && key) { url: content } + } else { + app.currentPaste.type = "text" } bar.set('Code coloration...', '95%'); @@ -820,9 +804,9 @@ if (content && key) { } /* End of "DECRYPTION" */ -/* Display bottom paste option buttons when needed */ - window.onload = function () { + + /* Display bottom paste option buttons when needed */ ["keyup", "change"].forEach((event) => { let content = document.getElementById("content"); content.addEventListener(event, () => { diff --git a/zerobin/views/base.tpl b/zerobin/views/base.tpl index 3601179..15d2242 100644 --- a/zerobin/views/base.tpl +++ b/zerobin/views/base.tpl @@ -91,7 +91,6 @@ %else: - %end

diff --git a/zerobin/views/faq.tpl b/zerobin/views/faq.tpl index 7a00a4b..fb004ee 100644 --- a/zerobin/views/faq.tpl +++ b/zerobin/views/faq.tpl @@ -1,68 +1,74 @@

-

FAQ

+

FAQ

- - How does 0bin work? - +
-

A random key is generated and used to encrypt the paste, thanks to - the sjcl - JavaScript library.

-

The encrypted content is then sent to the server, which returns the - address of the newly created paste.

-

The JavaScript code redirects to this address, but it adds the - encryption key in the URL hash (#).

-

When somebody wants to read the paste, they will usually click on a link - with this URL. If the hash containing the key is a part of it, 0bin's - JavaScript will use it to decrypt the content sent by the server.

-

The browser never sends the hash to the server, so the latter does not - receives the key at any time.

-
+ How does 0bin work? + - But JavaScript encryption is not secure! - But JavaScript encryption is not secure! + - What if the server changes the JavaScript code? And what happens in the case of a MITM attack? - - How did the idea of 0bin emerge? - - How can I get 0bin? - -
+

A random key is generated and used to encrypt the paste, thanks to + the sjcl + JavaScript library.

+

The encrypted content is then sent to the server, which returns the + address of the newly created paste.

+

The JavaScript code redirects to this address, but it adds the + encryption key in the URL hash (#).

+

When somebody wants to read the paste, they will usually click on a link + with this URL. If the hash containing the key is a part of it, 0bin's + JavaScript will use it to decrypt the content sent by the server.

+

The browser never sends the hash to the server, so the latter does not + receives the key at any time.

+
-

No, it isn't.

-

The goal of 0bin is not to protect the user and their data - (including, obviously, their secrets).

-

Instead, it aims to protect the host from being sued for the - content users pasted on the pastebin. The idea is that you cannot - require somebody to moderate something they cannot read - as such, - the host is granted plausible deniability.

+
+

No, it isn't.

+

The goal of 0bin is not to protect the user and their data + (including, obviously, their secrets).

+

Instead, it aims to protect the host from being sued for the + content users pasted on the pastebin. The idea is that you cannot + require somebody to moderate something they cannot read - as such, + the host is granted plausible deniability.

-

Remember that as an user, you should use 0bin in the same way as unencrypted and - insecure pastebins - that is, with caution. The only difference with those is that if - you decide to host a 0bin server, the encryption feature hopefully be used as a defense. - This is not proven, though! :-) +

Remember that as an user, you should use 0bin in the same way as unencrypted and + insecure pastebins - that is, with caution. The only difference with those is that if + you decide to host a 0bin server, the encryption feature hopefully be used as a defense. + This is not proven, though! :-) -

-

Read above.

-

0bin is not built, and does not aim, to protect user data - but rather the host. - If any user data is compromised, 0bin still provides the host with - plausible deniability (as they ignore the content of the pastes).

-

It would make no sense if the host was to compromise the encryption process - to read the data; in that case, they wouldn't have - installed 0bin in the first place, as 0bin is here to protect them.

-

However, if you want to ensure your data is not read in anyway, you should - not use 0bin. Use OTR for chatting, - GnuPG for encrypted & verified data sharing, with EnigMail - for emails.

-

It would be unlikely for those softwares to fail you. Errors will nearly always come from your side - you ought to have a perfect operations security - if you do not want your data to be leaked. Remember to use your common sense.

-
-

0bin is based on sebsauvage's work. - The project sprang as a reaction to the implementation of a moderation system on Pastebin, - due to the significant amount of illegal content pasted on it, or that it linked to.

-
-

0bin is an open-source project, and the code is hosted on GitHub. - You can either download a tarball or clone the repository.

-
+ + What if the server changes the JavaScript code? And what happens in the case of a MITM attack? + +

Read above.

+

0bin is not built, and does not aim, to protect user data - but rather the host. + If any user data is compromised, 0bin still provides the host with + plausible deniability (as they ignore the content of the pastes).

+

It would make no sense if the host was to compromise the encryption process + to read the data; in that case, they wouldn't have + installed 0bin in the first place, as 0bin is here to protect them.

+

However, if you want to ensure your data is not read in anyway, you should + not use 0bin. Use OTR for chatting, + GnuPG for encrypted & verified data sharing, with EnigMail + for emails.

+

It would be unlikely for those softwares to fail you. Errors will nearly always come from your side - you + ought to have a perfect operations security + if you do not want your data to be leaked. Remember to use your common sense.

+ + How did the idea of 0bin emerge? + +

0bin is based on sebsauvage's work. + The project sprang as a reaction to the + implementation of a moderation system on Pastebin, + due to the significant amount of illegal content pasted on it, or that it linked to.

+ + How can I get 0bin? + +

0bin is an open-source project, and the code is hosted on GitHub. + You can either download a tarball or clone the repository.

+ +
diff --git a/zerobin/views/paste.tpl b/zerobin/views/paste.tpl index 68376c3..7b902ba 100644 --- a/zerobin/views/paste.tpl +++ b/zerobin/views/paste.tpl @@ -19,14 +19,16 @@ %end %end +

{% currentPaste.type %}

+
- +
From 6a0370b1f5864f32629ae3f57b0c43d1b23a462f Mon Sep 17 00:00:00 2001 From: ksamuel Date: Wed, 12 Aug 2020 14:14:13 +0200 Subject: [PATCH 2/2] Autofit textarea --- zerobin/static/js/behavior.js | 12 ++++++++++++ zerobin/views/home.tpl | 2 +- zerobin/views/paste.tpl | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/zerobin/static/js/behavior.js b/zerobin/static/js/behavior.js index 554eb6d..6213869 100644 --- a/zerobin/static/js/behavior.js +++ b/zerobin/static/js/behavior.js @@ -844,3 +844,15 @@ if (app.support.history && zerobin.paste_not_found) { } }) } + +/* Autofit text area height */ +const tx = document.getElementsByTagName('textarea'); +for (let i = 0; i < tx.length; i++) { + tx[i].setAttribute('style', 'height:' + (tx[i].scrollHeight) + 'px;overflow-y:hidden;'); + tx[i].addEventListener("input", OnInput, false); +} + +function OnInput() { + this.style.height = 'auto'; + this.style.height = (this.scrollHeight) + 'px'; +} diff --git a/zerobin/views/home.tpl b/zerobin/views/home.tpl index b7def8d..2661949 100644 --- a/zerobin/views/home.tpl +++ b/zerobin/views/home.tpl @@ -32,7 +32,7 @@
+ @keydown.ctrl.enter="encryptAndSendPaste()">
diff --git a/zerobin/views/paste.tpl b/zerobin/views/paste.tpl index 7b902ba..3ab37d9 100644 --- a/zerobin/views/paste.tpl +++ b/zerobin/views/paste.tpl @@ -121,7 +121,7 @@
-